feat: enforce API token revocation at transactor level

Embed apiTokenId in JWT extra field and add a per-token revocation
cache (60s TTL) in the transactor REST handler. Revoked tokens are
now rejected within ~60 seconds instead of remaining valid until
JWT expiry.

Adds checkApiTokenRevoked account service method for the transactor
to query individual token revocation status.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: dnplkndll

foundations/core/packages/account-client/src/client.ts

@@ -259,6 +259,7 @@ export interface AccountClient {
   revokeApiToken: (tokenId: string) => Promise<void>
   listWorkspaceApiTokens: (workspaceUuid: WorkspaceUuid) => Promise<ApiTokenInfo[]>
   revokeWorkspaceApiToken: (tokenId: string, workspaceUuid: WorkspaceUuid) => Promise<void>
+  checkApiTokenRevoked: (apiTokenId: string) => Promise<boolean>
 
   setCookie: () => Promise<void>
   deleteCookie: () => Promise<void>
@@ -1251,6 +1252,15 @@ class AccountClientImpl implements AccountClient {
     await this.rpc(request)
   }
 
+  async checkApiTokenRevoked (apiTokenId: string): Promise<boolean> {
+    const request = {
+      method: 'checkApiTokenRevoked' as const,
+      params: { apiTokenId }
+    }
+
+    return await this.rpc(request)
+  }
+
   async setCookie (): Promise<void> {
     const url = concatLink(this.url, '/cookie')
     const response = await fetch(url, { ...this.request, method: 'PUT' })

pods/server/src/rpc.ts

@@ -129,6 +129,35 @@ async function sendJson (
   res.end(body)
 }
 
+// ── API Token Revocation Cache ──────────────────────────────────────
+// Per-token cache with 60s TTL. Once a token is confirmed revoked it
+// stays cached permanently (revocation is irreversible). Non-revoked
+// tokens are re-checked every TTL interval.
+const REVOCATION_CACHE_TTL_MS = 60_000
+const revocationCache = new Map<string, { revoked: boolean, checkedAt: number }>()
+
+async function isApiTokenRevoked (apiTokenId: string, accountClient: AccountClient): Promise<boolean> {
+  const now = Date.now()
+  const cached = revocationCache.get(apiTokenId)
+
+  // Permanently cached once revoked
+  if (cached?.revoked === true) return true
+
+  // Re-check if stale or missing
+  if (cached == null || now - cached.checkedAt > REVOCATION_CACHE_TTL_MS) {
+    try {
+      const revoked = await accountClient.checkApiTokenRevoked(apiTokenId)
+      revocationCache.set(apiTokenId, { revoked, checkedAt: now })
+      return revoked
+    } catch {
+      // If we can't reach the account service, use stale cache or allow
+      return cached?.revoked ?? false
+    }
+  }
+
+  return cached.revoked
+}
+
 export function registerRPC (app: Express, sessions: SessionManager, ctx: MeasureContext, accountsUrl: string): void {
   const rpcSessions = new Map<string, RPCClientInfo>()
 
@@ -167,6 +196,15 @@ export function registerRPC (app: Express, sessions: SessionManager, ctx: Measur
         return
       }
 
+      // Reject revoked API tokens (cached check, ~60s TTL)
+      const apiTokenId = decodedToken.extra?.apiTokenId
+      if (apiTokenId !== undefined) {
+        if (await isApiTokenRevoked(apiTokenId, getAccountClient(token))) {
+          sendError(res, 401, { message: 'Token has been revoked' })
+          return
+        }
+      }
+
       // Roadmap: enforce token scopes here. When ApiToken gains a scopes field
       // (see server/account/src/types.ts), check decodedToken.extra?.scopes against
       // the `method` parameter to reject disallowed operations (e.g. reject 'tx'

server/account/src/operations.ts

@@ -2421,7 +2421,7 @@ async function createApiToken (
   const expSec = Math.floor(expiresOn / 1000)
 
   const id = randomUUID()
-  const apiToken = generateToken(account, workspaceUuid, undefined, undefined, { exp: expSec })
+  const apiToken = generateToken(account, workspaceUuid, { apiTokenId: id }, undefined, { exp: expSec })
 
   await db.apiToken.insertOne({
     id,
@@ -2499,6 +2499,25 @@ async function revokeApiToken (
   ctx.info('API token revoked', { tokenId, account })
 }
 
+/**
+ * Checks if a specific API token has been revoked.
+ * Used by the transactor to enforce revocation at the request level.
+ */
+async function checkApiTokenRevoked (
+  ctx: MeasureContext,
+  db: AccountDB,
+  branding: Branding | null,
+  token: string,
+  params: { apiTokenId: string }
+): Promise<boolean> {
+  const { apiTokenId } = params
+  const existing = await db.apiToken.findOne({ id: apiTokenId })
+  if (existing == null) {
+    return true // Unknown token treated as revoked
+  }
+  return existing.revoked
+}
+
 /**
  * Lists all API tokens for a workspace. Requires OWNER role.
  * Returns tokens from all members, with account UUIDs for attribution.
@@ -3264,6 +3283,7 @@ export type AccountMethods =
   | 'revokeApiToken'
   | 'listWorkspaceApiTokens'
   | 'revokeWorkspaceApiToken'
+  | 'checkApiTokenRevoked'
 
 /**
  * @public
@@ -3331,6 +3351,7 @@ export function getMethods (hasSignUp: boolean = true): Partial<Record<AccountMe
     revokeApiToken: wrap(revokeApiToken),
     listWorkspaceApiTokens: wrap(listWorkspaceApiTokens),
     revokeWorkspaceApiToken: wrap(revokeWorkspaceApiToken),
+    checkApiTokenRevoked: wrap(checkApiTokenRevoked),
 
     /* READ OPERATIONS */
     getRegionInfo: wrap(getRegionInfo),