fix: address all review findings from PR #89

High:
- Token revocation now invalidates active sessions immediately. Sessions
  track source_token_id; revoke/delete/scope-change calls
  _invalidate_token_sessions() to purge both in-memory and DB sessions.
- Migration 010 stamping checks all 3 artifacts (viewer_tokens,
  app_settings, viewer_accounts.no_download) before stamping complete.

Medium-High:
- no_download and source_token_id persisted in viewer_sessions table.
  save_session() stores both; _viewer_session_to_dict() returns both;
  _resolve_session() restores them on DB fallback/restart.

Medium:
- create_viewer() now reads and passes is_active and no_download from
  request body to create_viewer_account().
- no_download no longer breaks inline media. Only explicit downloads
  (download=1 query param) and exports are blocked. Frontend hides
  download buttons for restricted users.
- Token expiry timezone fixed: frontend converts datetime-local to
  UTC ISO before sending.

Low-Medium:
- Audit log filter uses startswith() instead of exact match, so
  "viewer_updated" matches "viewer_updated:username".

Standards:
- Version bumped to 7.2.0 in pyproject.toml and src/__init__.py
- SECURITY.md: added 7.x.x as supported
- pyproject.toml: added viewer optional dep group for Pillow
- CHANGELOG updated with all security/fix entries

Tests (12 new):
- Token revocation invalidates sessions (revoke, delete, scope change)
- Label-only update preserves sessions
- no_download blocks explicit download but allows inline
- no_download blocks export
- no_download persisted via save_session
- source_token_id persisted and tracked
- no_download restored from DB session
- create_viewer passes no_download and is_active flags

Author: GeiserX

SECURITY.md

@@ -4,6 +4,7 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
+| 7.x.x  | :white_check_mark: |
 | 6.x.x  | :white_check_mark: |
 | 5.x.x  | :x:                |
 | < 5.0   | :x:                |

alembic/versions/20260310_010_add_tokens_settings_no_download.py

@@ -1,9 +1,10 @@
-"""Add viewer tokens, app settings, and no_download columns (v7.2.0).
+"""Add viewer tokens, app settings, session fields, and no_download columns (v7.2.0).
 
 Creates:
 1. viewer_tokens table for share-token authentication
 2. app_settings table for cross-container configuration
 3. no_download column on viewer_accounts
+4. no_download + source_token_id columns on viewer_sessions
 
 Revision ID: 010
 Revises: 009
@@ -70,8 +71,22 @@ def upgrade() -> None:
     if "no_download" not in existing_va_cols:
         op.add_column("viewer_accounts", sa.Column("no_download", sa.Integer(), server_default="0", nullable=True))
 
+    # -- no_download and source_token_id columns on viewer_sessions --
+    if "viewer_sessions" in existing_tables:
+        existing_vs_cols = {c["name"] for c in inspector.get_columns("viewer_sessions")}
+        if "no_download" not in existing_vs_cols:
+            op.add_column("viewer_sessions", sa.Column("no_download", sa.Integer(), server_default="0", nullable=True))
+        if "source_token_id" not in existing_vs_cols:
+            op.add_column("viewer_sessions", sa.Column("source_token_id", sa.Integer(), nullable=True))
+        existing_vs_indexes = {idx["name"] for idx in inspector.get_indexes("viewer_sessions")}
+        if "idx_viewer_sessions_source_token" not in existing_vs_indexes:
+            op.create_index("idx_viewer_sessions_source_token", "viewer_sessions", ["source_token_id"])
+
 
 def downgrade() -> None:
+    op.drop_index("idx_viewer_sessions_source_token", table_name="viewer_sessions")
+    op.drop_column("viewer_sessions", "source_token_id")
+    op.drop_column("viewer_sessions", "no_download")
     op.drop_column("viewer_accounts", "no_download")
     op.drop_table("app_settings")
     op.drop_index("idx_viewer_tokens_is_revoked", table_name="viewer_tokens")

docs/CHANGELOG.md

@@ -11,24 +11,35 @@ For upgrade instructions, see [Upgrading](#upgrading) at the bottom.
 ### Added
 
 - **Share tokens** — Admins can create link-shareable tokens scoped to specific chats. Recipients authenticate via token without needing an account. Tokens support expiry dates, revocation, and use tracking
-- **Download restrictions** — `no_download` flag on both viewer accounts and share tokens. Server-side enforcement blocks media file downloads (avatars and thumbnails remain accessible)
+- **Download restrictions** — `no_download` flag on both viewer accounts and share tokens. Restricted users can still view media inline but cannot explicitly download files or export chat history. Download buttons hidden in the UI for restricted users
 - **On-demand thumbnails** — WebP thumbnail generation at whitelisted sizes (200px, 400px) with disk caching under `{media_root}/.thumbs/`. Includes Pillow decompression bomb protection and path traversal guards
 - **App settings** — Key-value `app_settings` table for cross-container configuration, with admin CRUD endpoints
-- **Audit log improvements** — Action-based filtering in admin panel, token auth events tracked (`token_auth_success`, `token_auth_failed`, `token_created`, etc.)
+- **Audit log improvements** — Action-based filtering in admin panel (prefix match for suffixed events like `viewer_updated:username`), token auth events tracked (`token_auth_success`, `token_auth_failed`, `token_created`, etc.)
 - **Admin chat picker metadata** — Chat picker now returns `username`, `first_name`, `last_name` for better display
 - **Token management UI** — New "Share Tokens" tab in admin panel with create, revoke, and delete controls. Plaintext token shown once at creation with copy button
 - **Token login UI** — Login page has a "Share Token" tab for token-based authentication
 
+### Security
+
+- **Token revocation enforced on active sessions** — Revoking, deleting, or changing scope/permissions of a share token immediately invalidates all sessions created from that token. Sessions track `source_token_id` for precise invalidation
+- **Session persistence includes restrictions** — `no_download` and `source_token_id` are now persisted in `viewer_sessions` table, surviving container restarts. Previously `no_download` was lost after restart, silently granting download access
+- **Export endpoint respects no_download** — The `GET /api/chats/{chat_id}/export` endpoint now returns 403 for restricted users
+
 ### Fixed
 
-- **Python 2 except syntax** — Fixed `except X, Y:` patterns (valid but semantically wrong in Python 3.14 — catches X and binds to Y instead of catching both) to `except (X, Y):` throughout `main.py`
+- **Create viewer passes all flags** — `is_active` and `no_download` from the admin form are now correctly passed through to `create_viewer_account()`. Previously both flags were silently ignored on creation
+- **Token expiry timezone handling** — Frontend now converts local datetime to UTC ISO before sending to the backend, fixing early/late expiry for non-UTC admins
+- **Audit filter matches suffixed actions** — Filter now uses prefix matching so "viewer_updated" catches "viewer_updated:username"
+- **Migration stamping checks all artifacts** — Entrypoint now checks `viewer_tokens`, `app_settings`, AND `viewer_accounts.no_download` before stamping migration 010 as complete
 
 ### Changed
 
-- **Migration 010** — Consolidated idempotent migration creates `viewer_tokens`, `app_settings` tables and adds `no_download` column to `viewer_accounts`
-- **Entrypoint stamping** — Updated both PostgreSQL and SQLite stamping blocks to detect migration 010 artifacts
+- **Migration 010** — Consolidated idempotent migration creates `viewer_tokens`, `app_settings` tables and adds `no_download` column to `viewer_accounts`. Also adds `no_download` and `source_token_id` columns to `viewer_sessions`
+- **Entrypoint stamping** — Updated both PostgreSQL and SQLite stamping blocks to detect all migration 010 artifacts
 - **Dockerfile.viewer** — Added Pillow system dependencies (libjpeg, libwebp) for thumbnail generation
-- **requirements-viewer.txt** — Added `Pillow>=10.0.0`
+- **Version declarations** — `pyproject.toml` and `src/__init__.py` both set to 7.2.0
+- **SECURITY.md** — Added 7.x.x as a supported version
+- **pyproject.toml** — Added `viewer` optional dependency group for Pillow
 
 ## [7.1.3] - 2026-03-05
 

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "telegram-archive"
-version = "7.1.3"
+version = "7.2.0"
 description = "Automated Telegram backup with Docker. Performs incremental backups of messages and media on a configurable schedule."
 readme = "README.md"
 requires-python = ">=3.14"
@@ -43,6 +43,9 @@ dependencies = [
 ]
 
 [project.optional-dependencies]
+viewer = [
+    "Pillow>=10.0.0",  # v7.2.0: thumbnail generation
+]
 dev = [
     "pytest>=7.0",
     "pytest-asyncio>=0.21.0",

scripts/entrypoint.sh

@@ -81,14 +81,29 @@ if has_tables and not has_alembic:
             CONSTRAINT alembic_version_pkc PRIMARY KEY (version_num)
         );
     \"\"\")
-    # Check if viewer_tokens table exists (added in migration 010)
+    # Check all artifacts from migration 010: viewer_tokens, app_settings, viewer_accounts.no_download
     cur.execute(\"\"\"
         SELECT EXISTS (
             SELECT FROM information_schema.tables
             WHERE table_name = 'viewer_tokens'
         );
     \"\"\")
-    has_010_table = cur.fetchone()[0]
+    has_010_tokens = cur.fetchone()[0]
+    cur.execute(\"\"\"
+        SELECT EXISTS (
+            SELECT FROM information_schema.tables
+            WHERE table_name = 'app_settings'
+        );
+    \"\"\")
+    has_010_settings = cur.fetchone()[0]
+    cur.execute(\"\"\"
+        SELECT EXISTS (
+            SELECT FROM information_schema.columns
+            WHERE table_name = 'viewer_accounts' AND column_name = 'no_download'
+        );
+    \"\"\")
+    has_010_no_download = cur.fetchone()[0]
+    has_010_all = has_010_tokens and has_010_settings and has_010_no_download
 
     # Check if viewer_sessions table exists (added in migration 009)
     cur.execute(\"\"\"
@@ -154,7 +169,7 @@ if has_tables and not has_alembic:
     has_push_subs = cur.fetchone()[0]
 
     # Determine which version to stamp based on existing schema
-    if has_010_table:
+    if has_010_all:
         stamp_version = '010'
     elif has_009_table:
         stamp_version = '009'
@@ -223,9 +238,15 @@ if has_tables and not has_alembic:
         )
     ''')
 
-    # Check if viewer_tokens table exists (added in migration 010)
+    # Check all artifacts from migration 010: viewer_tokens, app_settings, viewer_accounts.no_download
     cur.execute(\"SELECT name FROM sqlite_master WHERE type='table' AND name='viewer_tokens'\")
-    has_010_table = cur.fetchone() is not None
+    has_010_tokens = cur.fetchone() is not None
+    cur.execute(\"SELECT name FROM sqlite_master WHERE type='table' AND name='app_settings'\")
+    has_010_settings = cur.fetchone() is not None
+    cur.execute(\"PRAGMA table_info(viewer_accounts)\")
+    va_columns = {row[1] for row in cur.fetchall()}
+    has_010_no_download = 'no_download' in va_columns
+    has_010_all = has_010_tokens and has_010_settings and has_010_no_download
 
     # Check if viewer_sessions table exists (added in migration 009)
     cur.execute(\"SELECT name FROM sqlite_master WHERE type='table' AND name='viewer_sessions'\")
@@ -258,7 +279,7 @@ if has_tables and not has_alembic:
     has_push_subs = cur.fetchone() is not None
 
     # Determine which version to stamp based on existing schema
-    if has_010_table:
+    if has_010_all:
         stamp_version = '010'
     elif has_009_table:
         stamp_version = '009'

src/__init__.py

@@ -2,4 +2,4 @@
 Telegram Backup Automation - Main Package
 """
 
-__version__ = "7.0.3"
+__version__ = "7.2.0"

src/db/adapter.py

@@ -1680,6 +1680,8 @@ async def create_viewer_account(
         salt: str,
         allowed_chat_ids: str | None = None,
         created_by: str | None = None,
+        is_active: int = 1,
+        no_download: int = 0,
     ) -> dict[str, Any]:
         """Create a new viewer account. Returns the created account dict."""
         async with self.db_manager.async_session_factory() as session:
@@ -1689,6 +1691,8 @@ async def create_viewer_account(
                 salt=salt,
                 allowed_chat_ids=allowed_chat_ids,
                 created_by=created_by,
+                is_active=is_active,
+                no_download=no_download,
             )
             session.add(account)
             await session.commit()
@@ -1786,7 +1790,7 @@ async def get_audit_logs(
             if username:
                 stmt = stmt.where(ViewerAuditLog.username == username)
             if action:
-                stmt = stmt.where(ViewerAuditLog.action == action)
+                stmt = stmt.where(ViewerAuditLog.action.startswith(action))
             stmt = stmt.limit(limit).offset(offset)
             result = await session.execute(stmt)
             return [
@@ -1817,31 +1821,29 @@ async def save_session(
         allowed_chat_ids: str | None,
         created_at: float,
         last_accessed: float,
+        no_download: int = 0,
+        source_token_id: int | None = None,
     ) -> None:
         """Save or update a session in the database."""
         async with self.db_manager.async_session_factory() as session:
+            values = {
+                "token": token,
+                "username": username,
+                "role": role,
+                "allowed_chat_ids": allowed_chat_ids,
+                "no_download": no_download,
+                "source_token_id": source_token_id,
+                "created_at": created_at,
+                "last_accessed": last_accessed,
+            }
             if self._is_sqlite:
-                stmt = sqlite_insert(ViewerSession).values(
-                    token=token,
-                    username=username,
-                    role=role,
-                    allowed_chat_ids=allowed_chat_ids,
-                    created_at=created_at,
-                    last_accessed=last_accessed,
-                )
+                stmt = sqlite_insert(ViewerSession).values(**values)
                 stmt = stmt.on_conflict_do_update(
                     index_elements=["token"],
                     set_={"last_accessed": last_accessed},
                 )
             else:
-                stmt = pg_insert(ViewerSession).values(
-                    token=token,
-                    username=username,
-                    role=role,
-                    allowed_chat_ids=allowed_chat_ids,
-                    created_at=created_at,
-                    last_accessed=last_accessed,
-                )
+                stmt = pg_insert(ViewerSession).values(**values)
                 stmt = stmt.on_conflict_do_update(
                     index_elements=["token"],
                     set_={"last_accessed": last_accessed},
@@ -1889,13 +1891,23 @@ async def cleanup_expired_sessions(self, max_age_seconds: float) -> int:
             await session.commit()
             return result.rowcount
 
+    @retry_on_locked()
+    async def delete_sessions_by_source_token_id(self, token_id: int) -> int:
+        """Delete all sessions created from a specific share token."""
+        async with self.db_manager.async_session_factory() as session:
+            result = await session.execute(delete(ViewerSession).where(ViewerSession.source_token_id == token_id))
+            await session.commit()
+            return result.rowcount
+
     @staticmethod
     def _viewer_session_to_dict(row: ViewerSession) -> dict[str, Any]:
         return {
             "token": row.token,
             "username": row.username,
             "role": row.role,
             "allowed_chat_ids": row.allowed_chat_ids,
+            "no_download": row.no_download,
+            "source_token_id": row.source_token_id,
             "created_at": row.created_at,
             "last_accessed": row.last_accessed,
         }

src/db/models.py

@@ -381,14 +381,17 @@ class ViewerSession(Base):
 
     token: Mapped[str] = mapped_column(String(64), primary_key=True)
     username: Mapped[str] = mapped_column(String(255), nullable=False)
-    role: Mapped[str] = mapped_column(String(20), nullable=False)  # "master" or "viewer"
+    role: Mapped[str] = mapped_column(String(20), nullable=False)  # "master", "viewer", or "token"
     allowed_chat_ids: Mapped[str | None] = mapped_column(Text)  # JSON array or NULL = all chats
+    no_download: Mapped[int] = mapped_column(Integer, default=0, server_default="0")  # v7.2.0
+    source_token_id: Mapped[int | None] = mapped_column(Integer)  # v7.2.0: FK to viewer_tokens.id for revocation
     created_at: Mapped[float] = mapped_column(Float, nullable=False)
     last_accessed: Mapped[float] = mapped_column(Float, nullable=False)
 
     __table_args__ = (
         Index("idx_viewer_sessions_username", "username"),
         Index("idx_viewer_sessions_created_at", "created_at"),
+        Index("idx_viewer_sessions_source_token", "source_token_id"),
     )