privacy/security: add PM privacy levels and improve session visibility

app/auth/router.py

@@ -23,6 +23,7 @@ from app.auth.service import (
     disable_twofa,
     enable_twofa,
     get_current_user,
+    get_access_session_info,
     get_email_sender,
     get_request_metadata,
     login_user,
@@ -37,6 +38,7 @@ from app.auth.service import (
     reset_password,
     setup_twofa,
     verify_email,
+    oauth2_scheme,
 )
 from app.database.session import get_db
 from app.email.service import EmailService
@@ -147,7 +149,10 @@ async def me(current_user: User = Depends(get_current_user)) -> AuthUserResponse
 
 
 @router.get("/sessions", response_model=list[SessionRead])
-async def list_sessions(current_user: User = Depends(get_current_user)) -> list[SessionRead]:
+async def list_sessions(
+    current_user: User = Depends(get_current_user),
+    access_token: str = Depends(oauth2_scheme),
+) -> list[SessionRead]:
     sessions = await list_user_sessions(current_user.id)
     out: list[SessionRead] = []
     for item in sessions:
@@ -157,8 +162,23 @@ async def list_sessions(current_user: User = Depends(get_current_user)) -> list[
                 created_at=datetime.fromtimestamp(item.created_at, tz=timezone.utc),
                 ip_address=item.ip_address,
                 user_agent=item.user_agent,
+                current=False,
+                token_type="refresh",
             )
         )
+    access_session = get_access_session_info(access_token)
+    if access_session and all(item.jti != access_session[0] for item in out):
+        out.insert(
+            0,
+            SessionRead(
+                jti=access_session[0],
+                created_at=access_session[1],
+                ip_address=None,
+                user_agent="Current access token",
+                current=True,
+                token_type="access",
+            ),
+        )
     return out