fix(security): revoke outstanding tokens on user role/group mutations and delete

2026-04-29 10:14:14 +02:00
parent 22e10b639f
commit 2934b67f6b
1 changed files with 6 additions and 1 deletions
--- a/cameleer-server-app/src/main/java/io/cameleer/server/app/controller/UserAdminController.java
+++ b/cameleer-server-app/src/main/java/io/cameleer/server/app/controller/UserAdminController.java
@@ -150,6 +150,7 @@ public class UserAdminController {
                                                  @PathVariable UUID roleId,
                                                  HttpServletRequest httpRequest) {
        rbacService.assignRoleToUser(userId, roleId);
+        userRepository.revokeTokensBefore(userId, Instant.now().plusMillis(1));
        auditService.log("assign_role_to_user", AuditCategory.USER_MGMT, userId,
                Map.of("roleId", roleId), AuditResult.SUCCESS, httpRequest);
        return ResponseEntity.ok().build();
@@ -162,6 +163,7 @@ public class UserAdminController {
                                                    @PathVariable UUID roleId,
                                                    HttpServletRequest httpRequest) {
        rbacService.removeRoleFromUser(userId, roleId);
+        userRepository.revokeTokensBefore(userId, Instant.now().plusMillis(1));
        auditService.log("remove_role_from_user", AuditCategory.USER_MGMT, userId,
                Map.of("roleId", roleId), AuditResult.SUCCESS, httpRequest);
        return ResponseEntity.noContent().build();
@@ -174,6 +176,7 @@ public class UserAdminController {
                                                @PathVariable UUID groupId,
                                                HttpServletRequest httpRequest) {
        rbacService.addUserToGroup(userId, groupId);
+        userRepository.revokeTokensBefore(userId, Instant.now().plusMillis(1));
        auditService.log("add_user_to_group", AuditCategory.USER_MGMT, userId,
                Map.of("groupId", groupId), AuditResult.SUCCESS, httpRequest);
        return ResponseEntity.ok().build();
@@ -186,6 +189,7 @@ public class UserAdminController {
                                                     @PathVariable UUID groupId,
                                                     HttpServletRequest httpRequest) {
        rbacService.removeUserFromGroup(userId, groupId);
+        userRepository.revokeTokensBefore(userId, Instant.now().plusMillis(1));
        auditService.log("remove_user_from_group", AuditCategory.USER_MGMT, userId,
                Map.of("groupId", groupId), AuditResult.SUCCESS, httpRequest);
        return ResponseEntity.noContent().build();
@@ -202,6 +206,7 @@ public class UserAdminController {
        if (isAdmin && rbacService.getEffectivePrincipalsForRole(SystemRole.ADMIN_ID).size() <= 1) {
            throw new ResponseStatusException(HttpStatus.CONFLICT, "Cannot delete the last admin user");
        }
+        userRepository.revokeTokensBefore(userId, Instant.now().plusMillis(1));
        userRepository.delete(userId);
        auditService.log("delete_user", AuditCategory.USER_MGMT, userId,
                null, AuditResult.SUCCESS, httpRequest);
@@ -231,7 +236,7 @@ public class UserAdminController {
        }
        userRepository.setPassword(userId, passwordEncoder.encode(request.password()));
        // Revoke all existing tokens so the user must re-authenticate with the new password
-        userRepository.revokeTokensBefore(userId, Instant.now());
+        userRepository.revokeTokensBefore(userId, Instant.now().plusMillis(1));
        auditService.log("reset_password", AuditCategory.USER_MGMT, userId, null, AuditResult.SUCCESS, httpRequest);
        return ResponseEntity.noContent().build();
    }