Summary

• enforce a single active user session by invalidating older refresh sessions when a new login succeeds
• validate access credentials against the user's current stored access token so previous devices stop working immediately
• add regression coverage for stale access and refresh credentials after a second login

Why

Multiple devices could stay logged in after the refresh-token session work. The intended product behavior is to prevent simultaneous logins across devices, so a new login must invalidate the previous device's credentials.

Validation

• ./gradlew check
• manual dev-server retry after Apple login flow: confirmed login succeeds after re-test