Expand cascade-revoke and replay-window coverage for companion sessions#11
Merged
SiteRelEnby merged 2 commits intomainfrom Apr 28, 2026
Merged
Expand cascade-revoke and replay-window coverage for companion sessions#11SiteRelEnby merged 2 commits intomainfrom
SiteRelEnby merged 2 commits intomainfrom
Conversation
The first watchOS-refresh-token PR shipped with coverage of the basics
(mint, /logout cascade, solo revoke, change-password carve-out) but
missed several paths that the cascade contract has to honour, and a
report came back that paired devices still see refresh-related logouts.
Filling the obvious gaps so a backend regression here can't slip past
again:
* /sessions/{id} DELETE — same cascade as /logout, but a different
code path. Without it a fix to one path could regress the other
silently.
* /sessions/revoke-others — children of the calling session must
survive, children of revoked siblings must not. Previously only
the keep-the-watch half was covered.
* Grandchild cascade — the contract is recursive even though no
feature mints grandchildren today; future work will rely on it.
* Multiple children of one parent all cascade.
* Concurrent /refresh on a child token — the replay-window grace
that protects the phone has to apply to the watch too, otherwise
parallel refresh-rotation races on the watch nuke the session.
* Mint after parent session revoked — must 401, otherwise a stolen
access token outliving its session could spawn fresh refresh
JWTs indefinitely.
All ten companion-session tests pass; full main-config suite remains
green at 254 passed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The first watchOS-refresh-token PR shipped with coverage of the basics (mint, /logout cascade, solo revoke, change-password carve-out) but missed several paths that the cascade contract has to honour, and a report came back that paired devices still see refresh-related logouts. Filling the obvious gaps so a backend regression here can't slip past again:
All ten companion-session tests pass; full main-config suite remains green at 254 passed.