From 4c7610ce6b2a25fe60781e506a9570144c82c182 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Wed, 25 Mar 2026 18:42:51 -0700
Subject: [PATCH] Add ClearCache to Authenticator

Used by Metacrypt when sealing to invalidate cached token validations.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 auth/auth.go  | 7 +++++++
 auth/cache.go | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/auth/auth.go b/auth/auth.go
index 6264f13..6b03e0d 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -228,6 +228,13 @@ func (a *Authenticator) ValidateToken(token string) (*TokenInfo, error) {
 	return info, nil
 }
 
+// ClearCache removes all cached token validation results. This should be
+// called when the service transitions to a state where cached tokens may
+// no longer be valid (e.g., Metacrypt sealing).
+func (a *Authenticator) ClearCache() {
+	a.cache.clear()
+}
+
 // Logout revokes a token on the MCIAS server.
 func (a *Authenticator) Logout(token string) error {
 	req, err := http.NewRequestWithContext(context.Background(),
diff --git a/auth/cache.go b/auth/cache.go
index c6b19f3..1c46b88 100644
--- a/auth/cache.go
+++ b/auth/cache.go
@@ -53,6 +53,13 @@ func (c *validationCache) get(tokenHash string) (*TokenInfo, bool) {
 	return entry.info, true
 }
 
+// clear removes all entries from the cache.
+func (c *validationCache) clear() {
+	c.mu.Lock()
+	c.entries = make(map[string]cacheEntry)
+	c.mu.Unlock()
+}
+
 // put stores TokenInfo in the cache with an expiration of now + TTL.
 func (c *validationCache) put(tokenHash string, info *TokenInfo) {
 	c.mu.Lock()