基于Redis失效标记，实现用户权限变更后强制重新登录

src/server/auth.ts

@@ -4,6 +4,7 @@ import type { User as NextAuthUser } from "next-auth"
 import CredentialsProvider from "next-auth/providers/credentials"
 import bcrypt from "bcryptjs"
 import { db } from "./db"
+import { clearSessionInvalidation, isSessionInvalidated } from "./service/session"
 
 export const authOptions: NextAuthOptions = {
   providers: [
@@ -49,6 +50,9 @@ export const authOptions: NextAuthOptions = {
             where: { id: user.id },
             data: { lastLoginAt: new Date() }
           })
+
+          // 清除会话失效标记（用户已重新登录，获得最新权限）
+          await clearSessionInvalidation(user.id)
   
           // 返回用户信息、角色和权限
           const roles = user.roles.map((r) => r.name)
@@ -98,10 +102,20 @@ export const authOptions: NextAuthOptions = {
           permissions: u.permissions,
           isSuperAdmin: u.isSuperAdmin,
         }
+      } else if (token.id) {
+        // 后续请求：检查会话是否已被标记失效
+        const invalidated = await isSessionInvalidated(token.id as string)
+        if (invalidated) {
+          token.sessionInvalid = true
+        }
       }
       return token
     },
     async session({ session, token }) {
+      // 会话已被标记失效，返回不含用户信息的session
+      if (token.sessionInvalid) {
+        return { expires: session.expires } as any
+      }
       // 将JWT token中的信息传递给session
       if (session.user) {
         const t = token as any