forked from cardosofelipe/fast-next-template
e19026453f
- Introduced session management endpoints to list, revoke, and cleanup sessions per user. - Added cron-based job for periodic cleanup of expired sessions. - Implemented `CRUDSession` for session-specific database operations. - Integrated session cleanup startup and shutdown events in the application lifecycle. - Enhanced CORS configuration to include `X-Device-Id` for session tracking. - Added comprehensive integration tests for multi-device login, per-device logout, session listing, and cleanup logic.
252 lines
7.4 KiB
Python
252 lines
7.4 KiB
Python
"""
|
|
Session management endpoints.
|
|
|
|
Allows users to view and manage their active sessions across devices.
|
|
"""
|
|
import logging
|
|
from typing import Any, List
|
|
from uuid import UUID
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException, status, Request
|
|
from slowapi import Limiter
|
|
from slowapi.util import get_remote_address
|
|
from sqlalchemy.orm import Session
|
|
|
|
from app.api.dependencies.auth import get_current_user
|
|
from app.core.database import get_db
|
|
from app.core.auth import decode_token
|
|
from app.models.user import User
|
|
from app.schemas.sessions import SessionResponse, SessionListResponse
|
|
from app.schemas.common import MessageResponse
|
|
from app.crud.session import session as session_crud
|
|
from app.core.exceptions import NotFoundError, AuthorizationError, ErrorCode
|
|
|
|
router = APIRouter()
|
|
logger = logging.getLogger(__name__)
|
|
|
|
# Initialize limiter
|
|
limiter = Limiter(key_func=get_remote_address)
|
|
|
|
|
|
@router.get(
|
|
"/me",
|
|
response_model=SessionListResponse,
|
|
summary="List My Active Sessions",
|
|
description="""
|
|
Get a list of all active sessions for the current user.
|
|
|
|
This shows where you're currently logged in.
|
|
|
|
**Rate Limit**: 30 requests/minute
|
|
""",
|
|
operation_id="list_my_sessions"
|
|
)
|
|
@limiter.limit("30/minute")
|
|
def list_my_sessions(
|
|
request: Request,
|
|
current_user: User = Depends(get_current_user),
|
|
db: Session = Depends(get_db)
|
|
) -> Any:
|
|
"""
|
|
List all active sessions for the current user.
|
|
|
|
Args:
|
|
current_user: Current authenticated user
|
|
db: Database session
|
|
|
|
Returns:
|
|
List of active sessions
|
|
"""
|
|
try:
|
|
# Get all active sessions for user
|
|
sessions = session_crud.get_user_sessions(
|
|
db,
|
|
user_id=str(current_user.id),
|
|
active_only=True
|
|
)
|
|
|
|
# Try to identify current session from Authorization header
|
|
current_session_jti = None
|
|
auth_header = request.headers.get("authorization")
|
|
if auth_header and auth_header.startswith("Bearer "):
|
|
try:
|
|
access_token = auth_header.split(" ")[1]
|
|
token_payload = decode_token(access_token)
|
|
# Note: Access tokens don't have JTI by default, but we can try
|
|
# For now, we'll mark current based on most recent activity
|
|
except Exception:
|
|
pass
|
|
|
|
# Convert to response format
|
|
session_responses = []
|
|
for s in sessions:
|
|
session_response = SessionResponse(
|
|
id=s.id,
|
|
device_name=s.device_name,
|
|
device_id=s.device_id,
|
|
ip_address=s.ip_address,
|
|
location_city=s.location_city,
|
|
location_country=s.location_country,
|
|
last_used_at=s.last_used_at,
|
|
created_at=s.created_at,
|
|
expires_at=s.expires_at,
|
|
is_current=(s == sessions[0] if sessions else False) # Most recent = current
|
|
)
|
|
session_responses.append(session_response)
|
|
|
|
logger.info(f"User {current_user.id} listed {len(session_responses)} active sessions")
|
|
|
|
return SessionListResponse(
|
|
sessions=session_responses,
|
|
total=len(session_responses)
|
|
)
|
|
|
|
except Exception as e:
|
|
logger.error(f"Error listing sessions for user {current_user.id}: {str(e)}", exc_info=True)
|
|
raise HTTPException(
|
|
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
|
detail="Failed to retrieve sessions"
|
|
)
|
|
|
|
|
|
@router.delete(
|
|
"/{session_id}",
|
|
response_model=MessageResponse,
|
|
status_code=status.HTTP_200_OK,
|
|
summary="Revoke Specific Session",
|
|
description="""
|
|
Revoke a specific session by ID.
|
|
|
|
This logs you out from that particular device.
|
|
You can only revoke your own sessions.
|
|
|
|
**Rate Limit**: 10 requests/minute
|
|
""",
|
|
operation_id="revoke_session"
|
|
)
|
|
@limiter.limit("10/minute")
|
|
def revoke_session(
|
|
request: Request,
|
|
session_id: UUID,
|
|
current_user: User = Depends(get_current_user),
|
|
db: Session = Depends(get_db)
|
|
) -> Any:
|
|
"""
|
|
Revoke a specific session by ID.
|
|
|
|
Args:
|
|
session_id: UUID of the session to revoke
|
|
current_user: Current authenticated user
|
|
db: Database session
|
|
|
|
Returns:
|
|
Success message
|
|
"""
|
|
try:
|
|
# Get the session
|
|
session = session_crud.get(db, id=str(session_id))
|
|
|
|
if not session:
|
|
raise NotFoundError(
|
|
message=f"Session {session_id} not found",
|
|
error_code=ErrorCode.NOT_FOUND
|
|
)
|
|
|
|
# Verify session belongs to current user
|
|
if str(session.user_id) != str(current_user.id):
|
|
logger.warning(
|
|
f"User {current_user.id} attempted to revoke session {session_id} "
|
|
f"belonging to user {session.user_id}"
|
|
)
|
|
raise AuthorizationError(
|
|
message="You can only revoke your own sessions",
|
|
error_code=ErrorCode.INSUFFICIENT_PERMISSIONS
|
|
)
|
|
|
|
# Deactivate the session
|
|
session_crud.deactivate(db, session_id=str(session_id))
|
|
|
|
logger.info(
|
|
f"User {current_user.id} revoked session {session_id} "
|
|
f"({session.device_name})"
|
|
)
|
|
|
|
return MessageResponse(
|
|
success=True,
|
|
message=f"Session revoked: {session.device_name or 'Unknown device'}"
|
|
)
|
|
|
|
except (NotFoundError, AuthorizationError):
|
|
raise
|
|
except Exception as e:
|
|
logger.error(f"Error revoking session {session_id}: {str(e)}", exc_info=True)
|
|
raise HTTPException(
|
|
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
|
detail="Failed to revoke session"
|
|
)
|
|
|
|
|
|
@router.delete(
|
|
"/me/expired",
|
|
response_model=MessageResponse,
|
|
status_code=status.HTTP_200_OK,
|
|
summary="Cleanup Expired Sessions",
|
|
description="""
|
|
Remove expired sessions for the current user.
|
|
|
|
This is a cleanup operation to remove old session records.
|
|
|
|
**Rate Limit**: 5 requests/minute
|
|
""",
|
|
operation_id="cleanup_expired_sessions"
|
|
)
|
|
@limiter.limit("5/minute")
|
|
def cleanup_expired_sessions(
|
|
request: Request,
|
|
current_user: User = Depends(get_current_user),
|
|
db: Session = Depends(get_db)
|
|
) -> Any:
|
|
"""
|
|
Cleanup expired sessions for the current user.
|
|
|
|
Args:
|
|
current_user: Current authenticated user
|
|
db: Database session
|
|
|
|
Returns:
|
|
Success message with count of sessions cleaned
|
|
"""
|
|
try:
|
|
from datetime import datetime, timezone
|
|
|
|
# Get all sessions for user
|
|
all_sessions = session_crud.get_user_sessions(
|
|
db,
|
|
user_id=str(current_user.id),
|
|
active_only=False
|
|
)
|
|
|
|
# Delete expired and inactive sessions
|
|
deleted_count = 0
|
|
for s in all_sessions:
|
|
if not s.is_active and s.expires_at < datetime.now(timezone.utc):
|
|
db.delete(s)
|
|
deleted_count += 1
|
|
|
|
db.commit()
|
|
|
|
logger.info(f"User {current_user.id} cleaned up {deleted_count} expired sessions")
|
|
|
|
return MessageResponse(
|
|
success=True,
|
|
message=f"Cleaned up {deleted_count} expired sessions"
|
|
)
|
|
|
|
except Exception as e:
|
|
logger.error(f"Error cleaning up sessions for user {current_user.id}: {str(e)}", exc_info=True)
|
|
db.rollback()
|
|
raise HTTPException(
|
|
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
|
detail="Failed to cleanup sessions"
|
|
)
|