feat: sign out of all sessions (#1797)

2025-11-14 16:51:38 +10:00 · 2025-06-11 07:57:38 +00:00
parent e3ce7f94e6
commit 400d2a2b1a
13 changed files with 608 additions and 35 deletions
--- a/packages/auth/server/lib/session/session.ts
+++ b/packages/auth/server/lib/session/session.ts
@ -2,6 +2,7 @@ import { sha256 } from '@oslojs/crypto/sha2';
 import { encodeBase32LowerCaseNoPadding, encodeHexLowerCase } from '@oslojs/encoding';
 import { type Session, type User, UserSecurityAuditLogType } from '@prisma/client';

+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 import { prisma } from '@documenso/prisma';

@ -129,18 +130,46 @@ export const validateSessionToken = async (token: string): Promise<SessionValida
  return { session, user, isAuthenticated: true };
 };

-export const invalidateSession = async (
-  sessionId: string,
-  metadata: RequestMetadata,
-): Promise<void> => {
-  const session = await prisma.session.delete({ where: { id: sessionId } });
+type InvalidateSessionsOptions = {
+  userId: number;
+  sessionIds: string[];
+  metadata: RequestMetadata;
+  isRevoke?: boolean;
+};

-  await prisma.userSecurityAuditLog.create({
-    data: {
-      userId: session.userId,
-      ipAddress: metadata.ipAddress,
-      userAgent: metadata.userAgent,
-      type: UserSecurityAuditLogType.SIGN_OUT,
-    },
+export const invalidateSessions = async ({
+  userId,
+  sessionIds,
+  metadata,
+  isRevoke,
+}: InvalidateSessionsOptions): Promise<void> => {
+  if (sessionIds.length === 0) {
+    return;
+  }
+
+  await prisma.$transaction(async (tx) => {
+    const { count } = await tx.session.deleteMany({
+      where: {
+        userId,
+        id: { in: sessionIds },
+      },
+    });
+
+    if (count !== sessionIds.length) {
+      throw new AppError(AppErrorCode.INVALID_REQUEST, {
+        message: 'One or more sessions are not valid.',
+      });
+    }
+
+    await tx.userSecurityAuditLog.createMany({
+      data: sessionIds.map(() => ({
+        userId,
+        ipAddress: metadata.ipAddress,
+        userAgent: metadata.userAgent,
+        type: isRevoke
+          ? UserSecurityAuditLogType.SESSION_REVOKED
+          : UserSecurityAuditLogType.SIGN_OUT,
+      })),
+    });
  });
 };
--- a/packages/auth/server/lib/utils/get-session.ts
+++ b/packages/auth/server/lib/utils/get-session.ts
@ -1,6 +1,8 @@
+import type { Session } from '@prisma/client';
 import type { Context } from 'hono';

 import { AppError } from '@documenso/lib/errors/app-error';
+import { prisma } from '@documenso/prisma';

 import { AuthenticationErrorCode } from '../errors/error-codes';
 import type { SessionValidationResult } from '../session/session';
@ -37,6 +39,33 @@ export const getOptionalSession = async (
  return await validateSessionToken(sessionId);
 };

+export type ActiveSession = Omit<Session, 'sessionToken'>;
+
+export const getActiveSessions = async (c: Context | Request): Promise<ActiveSession[]> => {
+  const { user } = await getSession(c);
+
+  return await prisma.session.findMany({
+    where: {
+      userId: user.id,
+      expiresAt: {
+        gt: new Date(),
+      },
+    },
+    orderBy: {
+      updatedAt: 'desc',
+    },
+    select: {
+      id: true,
+      userId: true,
+      expiresAt: true,
+      updatedAt: true,
+      createdAt: true,
+      ipAddress: true,
+      userAgent: true,
+    },
+  });
+};
+
 /**
 * Todo: (RR7) Rethink, this is pretty sketchy.
 */
--- a/packages/auth/server/routes/session.ts
+++ b/packages/auth/server/routes/session.ts
@ -2,7 +2,7 @@ import { Hono } from 'hono';
 import superjson from 'superjson';

 import type { SessionValidationResult } from '../lib/session/session';
-import { getOptionalSession } from '../lib/utils/get-session';
+import { getActiveSessions, getOptionalSession } from '../lib/utils/get-session';

 export const sessionRoute = new Hono()
  .get('/session', async (c) => {
@ -10,6 +10,11 @@ export const sessionRoute = new Hono()

    return c.json(session);
  })
+  .get('/sessions', async (c) => {
+    const sessions = await getActiveSessions(c);
+
+    return c.json(superjson.serialize({ sessions }));
+  })
  .get('/session-json', async (c) => {
    const session: SessionValidationResult = await getOptionalSession(c);

--- a/packages/auth/server/routes/sign-out.ts
+++ b/packages/auth/server/routes/sign-out.ts
@ -1,27 +1,114 @@
+import { sValidator } from '@hono/standard-validator';
 import { Hono } from 'hono';
+import { z } from 'zod';

-import { invalidateSession, validateSessionToken } from '../lib/session/session';
+import { prisma } from '@documenso/prisma';
+
+import { invalidateSessions, validateSessionToken } from '../lib/session/session';
 import { deleteSessionCookie, getSessionCookie } from '../lib/session/session-cookies';
 import type { HonoAuthContext } from '../types/context';

-export const signOutRoute = new Hono<HonoAuthContext>().post('/signout', async (c) => {
-  const metadata = c.get('requestMetadata');
-
-  const sessionId = await getSessionCookie(c);
-
-  if (!sessionId) {
-    return new Response('No session found', { status: 401 });
-  }
-
-  const { session } = await validateSessionToken(sessionId);
-
-  if (!session) {
-    return new Response('No session found', { status: 401 });
-  }
-
-  await invalidateSession(session.id, metadata);
-
-  deleteSessionCookie(c);
-
-  return c.status(200);
+const ZSignoutSessionSchema = z.object({
+  sessionId: z.string().trim().min(1),
 });
+
+export const signOutRoute = new Hono<HonoAuthContext>()
+  .post('/signout', async (c) => {
+    const metadata = c.get('requestMetadata');
+
+    const sessionToken = await getSessionCookie(c);
+
+    if (!sessionToken) {
+      return new Response('No session found', { status: 401 });
+    }
+
+    const { session } = await validateSessionToken(sessionToken);
+
+    if (!session) {
+      deleteSessionCookie(c);
+      return new Response('No session found', { status: 401 });
+    }
+
+    await invalidateSessions({
+      userId: session.userId,
+      sessionIds: [session.id],
+      metadata,
+      isRevoke: false,
+    });
+
+    deleteSessionCookie(c);
+
+    return c.status(200);
+  })
+  .post('/signout-all', async (c) => {
+    const metadata = c.get('requestMetadata');
+
+    const sessionToken = await getSessionCookie(c);
+
+    if (!sessionToken) {
+      return new Response('No session found', { status: 401 });
+    }
+
+    const { session } = await validateSessionToken(sessionToken);
+
+    if (!session) {
+      deleteSessionCookie(c);
+      return new Response('No session found', { status: 401 });
+    }
+
+    const userId = session.userId;
+
+    const userSessionIds = await prisma.session
+      .findMany({
+        where: {
+          userId,
+          id: {
+            not: session.id,
+          },
+        },
+        select: {
+          id: true,
+        },
+      })
+      .then((sessions) => sessions.map((session) => session.id));
+
+    await invalidateSessions({
+      userId,
+      sessionIds: userSessionIds,
+      metadata,
+      isRevoke: true,
+    });
+
+    return c.status(200);
+  })
+  .post('/signout-session', sValidator('json', ZSignoutSessionSchema), async (c) => {
+    const metadata = c.get('requestMetadata');
+
+    const { sessionId: sessionIdToRevoke } = c.req.valid('json');
+
+    const sessionToken = await getSessionCookie(c);
+
+    if (!sessionToken) {
+      return new Response('No session found', { status: 401 });
+    }
+
+    const { session } = await validateSessionToken(sessionToken);
+
+    if (!session) {
+      deleteSessionCookie(c);
+      return new Response('No session found', { status: 401 });
+    }
+
+    await invalidateSessions({
+      userId: session.userId,
+      sessionIds: [sessionIdToRevoke],
+      metadata,
+      isRevoke: true,
+    });
+
+    if (session.id === sessionIdToRevoke) {
+      deleteSessionCookie(c);
+    }
+
+    return c.status(200);
+  });