From ca192ced94d2d3c7715bbe3f360276b6ac7dc391 Mon Sep 17 00:00:00 2001
From: npmrun <1549469775@qq.com>
Date: Fri, 22 May 2026 16:52:01 +0800
Subject: [PATCH] fix(auth): O(n) session lookup -> direct DB query, init
 passwordHistory empty

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 server/service/auth/index.ts | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/server/service/auth/index.ts b/server/service/auth/index.ts
index 00e0e82..a63e02a 100644
--- a/server/service/auth/index.ts
+++ b/server/service/auth/index.ts
@@ -47,7 +47,7 @@ export class AuthService {
         password: passwordHash,
         role: "user",
         status: "active",
-        passwordHistory: JSON.stringify([passwordHash]),
+        passwordHistory: "[]",
       })
       .returning();
 
@@ -95,23 +95,18 @@ export class AuthService {
     refreshToken: string
   ): Promise<{ accessToken: string; newRefreshToken: string }> {
     // 查找有效 session
-    const sessions = await dbGlobal
+    const [session] = await dbGlobal
       .select()
       .from(userSessions)
-      .where(isNull(userSessions.revokedAt));
-
-    let matchedSession: (typeof sessions)[0] | null = null;
-    for (const s of sessions) {
-      if (s.id === refreshToken && s.expiresAt > new Date()) {
-        matchedSession = s;
-        break;
-      }
-    }
+      .where(eq(userSessions.id, refreshToken))
+      .limit(1);
 
-    if (!matchedSession) {
+    if (!session || session.revokedAt !== null || session.expiresAt <= new Date()) {
       throw { code: "SESSION_REVOKED", message: "Session 已失效" };
     }
 
+    const matchedSession = session;
+
     const [user] = await dbGlobal
       .select()
       .from(users)