fix: prevent ghost memberships from soft-deleted users

2026-06-10 05:30:24 +00:00
parent 05589ce442
commit a6d74d9316
4 changed files with 61 additions and 15 deletions
@@ -105,6 +105,7 @@ class UserService:
          - Session                 (all active sessions killed)
          - OIDCAuthCode            (pending auth codes invalidated)
          - OIDCRefreshToken        (refresh tokens invalidated)
+          - OAuthState              (OAuth flow states invalidated)
          - OIDCSession             (OIDC sessions killed)
          - OIDCTokenMetadata       (token metadata hidden)

@@ -120,6 +121,7 @@ class UserService:
        """
        from datetime import datetime, timezone
        from gatehouse_app.extensions import db as _db
+        from gatehouse_app.models.auth.authentication_method import OAuthState

        if soft:
            now = datetime.now(timezone.utc)
@@ -169,6 +171,11 @@ class UserService:
                        pass
                    cert.deleted_at = now

+            # --- OAuth states -----------------------------------------------
+            OAuthState.query.filter_by(user_id=user.id).filter(
+                OAuthState.deleted_at == None
+            ).update({"deleted_at": now}, synchronize_session=False)
+
            # --- Sessions ---------------------------------------------------
            for session in user.sessions:
                if session.deleted_at is None: