mirror of
https://github.com/langgenius/dify.git
synced 2026-05-20 08:46:57 +08:00
390f1f74db
GET /openapi/v1/account/sessions lists the bearer's active OAuth tokens (filtered to revoked_at IS NULL, expires_at > NOW(), token_hash IS NOT NULL — no phantom devices). DELETE /openapi/v1/account/sessions/<id> revokes a specific session with a subject-match guard that returns 404 (not 403) on cross-subject so token IDs don't leak across subjects. Subject scoping abstracted into _subject_match(ctx): account subjects filter by account_id; external_sso subjects filter by (email, issuer) AND account_id IS NULL — preventing an SSO bearer from touching a same-email account row from a federated tenant. _revoke_token_by_id helper extracted so /sessions/self and /sessions/<id> share the same UPDATE-where-revoked_at-IS-NULL idempotent revoke + Redis cache invalidation. No /v1/ equivalents — these are new endpoints (spec §Sessions list shape). Plan: docs/superpowers/plans/2026-04-26-openapi-migration.md (in difyctl repo).