From fd788684b96ff8a731f56079da419b29c6e232c3 Mon Sep 17 00:00:00 2001
From: HydroSulphide <github.sandstone637@slmails.com>
Date: Tue, 10 Mar 2026 08:38:32 +0100
Subject: [PATCH] fix: TOCTOU race condition allows duplicate refresh token use

---
 backend/handler/auth/base_handler.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/backend/handler/auth/base_handler.py b/backend/handler/auth/base_handler.py
index 9847b289a..8a07ecadf 100644
--- a/backend/handler/auth/base_handler.py
+++ b/backend/handler/auth/base_handler.py
@@ -310,7 +310,7 @@ class OAuthHandler:
             raise OAuthCredentialsException
 
         jti = payload.claims.get("jti")
-        if not jti or redis_client.get(f"refresh-jti:{jti}") != b"valid":
+        if not jti or redis_client.getdel(f"refresh-jti:{jti}") != b"valid":
             raise OAuthCredentialsException
 
         username = payload.claims.get("sub")
@@ -323,8 +323,6 @@ class OAuthHandler:
 
         if not user.enabled:
             raise UserDisabledException
-
-        redis_client.delete(f"refresh-jti:{jti}")
         return user, payload.claims
 
     async def get_current_active_user_from_bearer_token(self, token: str):