fix: 修复 JWT 幽灵令牌漏洞，新增 Dify 权限过滤服务

inventory-backend/app/services/auth_service.py

@@ -1,6 +1,6 @@
 # app/services/auth_service.py
 from app.models.system import SysUser, SysRolePermission # <== 引入 SysRolePermission
-from app.extensions import db, redis_client
+from app.extensions import db, redis_client, revoke_all_tokens_for_user
 from sqlalchemy import func
 from flask_jwt_extended import create_access_token, create_refresh_token, get_jwt_identity
 from flask import current_app
@@ -334,7 +334,11 @@ class AuthService:
             user.email = email
 
         if 'status' in data:
-            user.status = data['status']
+            new_status = data['status']
+            # ★ 幽灵令牌漏洞修复：用户被禁用时，立即吊销其所有 Token
+            if new_status != 'active' and user.status == 'active':
+                revoke_all_tokens_for_user(user_id)
+            user.status = new_status
 
         new_password = data.get('password')
         if new_password and str(new_password).strip():
@@ -353,7 +357,7 @@ class AuthService:
 
     @staticmethod
     def delete_user(user_id, operator_role):
-        """删除用户"""
+        """删除用户：删除前自动吊销该用户所有 JWT Token"""
         # 标准化操作者角色为全大写
         operator_role_upper = operator_role.upper() if operator_role else None
         if operator_role_upper != UserRole.SUPER_ADMIN:
@@ -365,6 +369,18 @@ class AuthService:
 
         # 提前获取用户名用于审计日志
         username = user.username
+
+        # ★ 幽灵令牌漏洞修复：删除用户前，先将 user_id 加入 JWT 黑名单
+        # 效果：该用户持有的所有 Token 瞬间失效，无论是否已过期
+        revoke_all_tokens_for_user(user_id)
+
+        # 清除 Redis 中的单设备登录 Token（防止残留）
+        if redis_client is not None:
+            try:
+                redis_client.delete(f"user_token_{user_id}")
+            except Exception as e:
+                current_app.logger.warning(f"Failed to delete user token from Redis: {e}")
+
         db.session.delete(user)
         db.session.commit()
         return username