MHSanaei 42e2a91b92 fix(auth): invalidate other sessions when credentials change ... When the admin changes username/password from one machine, sessions on every other machine kept working until they manually logged out because session storage is a signed client-side cookie — there is no server-side session list to revoke. Add a per-user LoginEpoch counter stamped into the session at login and re-verified on every authenticated request. UpdateUser and UpdateFirstUser bump the epoch (UpdateUser via gorm.Expr so a single update statement is atomic), so any cookie issued before the change no longer matches the user's current epoch and GetLoginUser returns nil — the SPA's 401 interceptor then redirects to the login page. Backward compatible: the column defaults to 0 and missing cookie values are treated as 0, so sessions issued before this change remain valid until the first credential update.		2026-05-13 12:48:13 +02:00
..
model	fix(auth): invalidate other sessions when credentials change	2026-05-13 12:48:13 +02:00
db.go	feat(nodes): traffic-writer queue, full-mirror sync, WS event fixes	2026-05-10 16:25:23 +02:00