fix(auth): enforce single-session with DB tokenVersion + heartbeat detection

Move single-session invalidation from cache-based token version checks to a database-backed, atomic tokenVersion flow to eliminate concurrent login race conditions. Add a global auth heartbeat (visibility-aware) so kicked sessions are detected within ~10s when the page is visible. Made-with: Cursor
2026-03-09 13:11:37 +08:00
parent 740ef8b526
commit 50657dd81f
10 changed files with 140 additions and 33 deletions
--- a/backend/prisma/schema.prisma
+++ b/backend/prisma/schema.prisma
@@ -42,6 +42,7 @@ model User {
  trialEndsAt         DateTime?        @map("trial_ends_at")
  isTrial             Boolean          @default(true) @map("is_trial")
  lastLoginAt         DateTime?        @map("last_login_at")
+  tokenVersion        Int              @default(0) @map("token_version")
  createdAt           DateTime         @default(now()) @map("created_at")
  updatedAt           DateTime         @updatedAt @map("updated_at")
  tenant_members      tenant_members[]