From 8446b0e1d4ee0802c7a6aeb7cbf8ec97ec0f3154 Mon Sep 17 00:00:00 2001
From: Harisreedhar <46858047+harisreedhar@users.noreply.github.com>
Date: Wed, 1 Apr 2026 12:49:41 +0530
Subject: [PATCH] fix refresh_session does not validate expiry before
 refreshing (#1071)

---
 facefusion/apis/endpoints/session.py |  2 +-
 tests/test_api_session.py            | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/facefusion/apis/endpoints/session.py b/facefusion/apis/endpoints/session.py
index f86072f7..4936a2b5 100644
--- a/facefusion/apis/endpoints/session.py
+++ b/facefusion/apis/endpoints/session.py
@@ -48,7 +48,7 @@ async def refresh_session(request : Request) -> JSONResponse:
 	body = await request.json()
 
 	for session_id, session in session_manager.SESSIONS.items():
-		if session.get('refresh_token') == body.get('refresh_token'):
+		if session.get('refresh_token') == body.get('refresh_token') and session_manager.validate_session(session_id):
 			__session__ = session_manager.create_session()
 			session_manager.set_session(session_id, __session__)
 
diff --git a/tests/test_api_session.py b/tests/test_api_session.py
index e9526635..fa9c58d8 100644
--- a/tests/test_api_session.py
+++ b/tests/test_api_session.py
@@ -130,6 +130,29 @@ def test_refresh_session(test_client : TestClient) -> None:
 
 	assert refresh_session_response.status_code == 401
 
+	create_session_response = test_client.post('/session', json =
+	{
+		'client_version': metadata.get('version')
+	})
+	create_session_body = create_session_response.json()
+
+	session_id = session_manager.find_session_id(create_session_body.get('access_token'))
+	session : Session = session_manager.get_session(session_id)
+	session_manager.set_session(session_id,
+	{
+		'access_token': session.get('access_token'),
+		'refresh_token': session.get('refresh_token'),
+		'created_at': session.get('created_at'),
+		'expires_at': session.get('expires_at') - timedelta(hours = 1)
+	})
+
+	refresh_session_response = test_client.put('/session', json =
+	{
+		'refresh_token': create_session_body.get('refresh_token')
+	})
+
+	assert refresh_session_response.status_code == 401
+
 
 def test_destroy_session(test_client : TestClient) -> None:
 	create_session_response = test_client.post('/session', json =