Add account version tags to cookies (#5563)

* feat: add user account version to session cookie Co-authored-by: Copilot <copilot@github.com> * feat: include user handle in account version hash calculation * feat: refactor recovery code generation to use a dedicated function * fix: don't overwrite current session version if updating another user Co-authored-by: Copilot <copilot@github.com> * fix: reset session version instead of nullifying the entire session * fix: short circuit and clear cookie on request invalidation Co-authored-by: Copilot <copilot@github.com> * fix: update account version on recovery --------- Co-authored-by: Copilot <copilot@github.com>
2026-05-02 17:07:57 +03:00
parent 91c40280ed
commit c325c6d8e9
4 changed files with 49 additions and 3 deletions
@@ -41,6 +41,10 @@ declare global {
             * Authenticated user handle.
             */
            handle: string | null;
+            /**
+             * Account version tag: shake256 derivative of password hash and salt.
+             */
+            version: string | null;
            /**
             * Last time the session was extended.
             */