auth: force disconnect realtime on revoke-all sessions

tests/test_auth_flow.py

@@ -78,3 +78,40 @@ async def test_refresh_token_rotation(client, db_session):
 
     old_refresh_reuse = await client.post("/api/v1/auth/refresh", json={"refresh_token": refresh_token})
     assert old_refresh_reuse.status_code == 401
+
+
+async def test_revoke_all_sessions_invalidates_access_and_refresh(client, db_session):
+    payload = {
+        "email": "carol@example.com",
+        "name": "Carol",
+        "username": "carol",
+        "password": "strongpass123",
+    }
+    await client.post("/api/v1/auth/register", json=payload)
+    token_row = await db_session.execute(select(EmailVerificationToken).order_by(EmailVerificationToken.id.desc()))
+    verify_token = token_row.scalar_one().token
+    await client.post("/api/v1/auth/verify-email", json={"token": verify_token})
+
+    login_response = await client.post(
+        "/api/v1/auth/login",
+        json={"email": payload["email"], "password": payload["password"]},
+    )
+    assert login_response.status_code == 200
+    tokens = login_response.json()
+    access_token = tokens["access_token"]
+    refresh_token = tokens["refresh_token"]
+
+    revoke_all_response = await client.delete(
+        "/api/v1/auth/sessions",
+        headers={"Authorization": f"Bearer {access_token}"},
+    )
+    assert revoke_all_response.status_code == 204
+
+    me_response = await client.get(
+        "/api/v1/auth/me",
+        headers={"Authorization": f"Bearer {access_token}"},
+    )
+    assert me_response.status_code == 401
+
+    refresh_response = await client.post("/api/v1/auth/refresh", json={"refresh_token": refresh_token})
+    assert refresh_response.status_code == 401