fix(profile): stabilize binding compatibility and frontend checks

backend/internal/service/auth_email_binding.go

@@ -11,6 +11,7 @@ import (
 	dbent "github.com/Wei-Shaw/sub2api/ent"
 	"github.com/Wei-Shaw/sub2api/ent/authidentity"
 	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/logger"
 )
 
 // BindEmailIdentity verifies and binds a local email/password identity to the
@@ -69,6 +70,7 @@ func (s *AuthService) BindEmailIdentity(
 		if err := s.updateBoundEmailIdentityTx(ctx, currentUser, normalizedEmail, hashedPassword, firstRealEmailBind); err != nil {
 			return nil, err
 		}
+		s.revokeEmailIdentitySessions(ctx, userID)
 		return currentUser, nil
 	}
 
@@ -87,6 +89,7 @@ func (s *AuthService) BindEmailIdentity(
 		}
 	}
 
+	s.revokeEmailIdentitySessions(ctx, userID)
 	return currentUser, nil
 }
 
@@ -219,6 +222,12 @@ func (s *AuthService) updateBoundEmailIdentityWithClient(
 	return nil
 }
 
+func (s *AuthService) revokeEmailIdentitySessions(ctx context.Context, userID int64) {
+	if err := s.RevokeAllUserSessions(ctx, userID); err != nil {
+		logger.LegacyPrintf("service.auth", "[Auth] Failed to revoke refresh sessions after email identity bind for user %d: %v", userID, err)
+	}
+}
+
 func replaceBoundEmailAuthIdentityWithClient(
 	ctx context.Context,
 	client *dbent.Client,