benya/Messenger
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): add active sessions management
Some checks failed
CI / test (push) Failing after 33s
Details

Browse Source 
- store refresh session metadata in redis (ip/user-agent/created_at)

- add auth APIs: list sessions, revoke one, revoke all

- add web privacy UI for active sessions
This commit is contained in:
Alex
2026-03-08 11:41:03 +03:00
parent da73b79ee7
commit e685a38be6
7 changed files with 309 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
app/auth/router.py
View File

@@ -1,3 +1,5 @@
from datetime import datetime, timezone
from fastapi import APIRouter, Depends, Request, status
from sqlalchemy.ext.asyncio import AsyncSession
@@ -11,12 +13,17 @@ from app.auth.schemas import (
ResendVerificationRequest,
ResetPasswordRequest,
TokenResponse,
SessionRead,
VerifyEmailRequest,
)
from app.auth.service import (
get_current_user,
get_email_sender,
get_request_metadata,
login_user,
list_user_sessions,
revoke_all_user_sessions,
revoke_user_session,
refresh_tokens,
register_user,
request_password_reset,
@@ -56,7 +63,8 @@ async def login(payload: LoginRequest, request: Request, db: AsyncSession = Depe
scope="auth_login",
limit=settings.login_rate_limit_per_minute,
)
return await login_user(db, payload)
ip_address, user_agent = get_request_metadata(request)
return await login_user(db, payload, ip_address=ip_address, user_agent=user_agent)
@router.post("/refresh", response_model=TokenResponse)
@@ -70,7 +78,8 @@ async def refresh(
scope="auth_refresh",
limit=settings.refresh_rate_limit_per_minute,
)
return await refresh_tokens(db, payload)
ip_address, user_agent = get_request_metadata(request)
return await refresh_tokens(db, payload, ip_address=ip_address, user_agent=user_agent)
@router.post("/verify-email", response_model=MessageResponse)
@@ -120,3 +129,29 @@ async def reset_password_endpoint(payload: ResetPasswordRequest, db: AsyncSessio
@router.get("/me", response_model=AuthUserResponse)
async def me(current_user: User = Depends(get_current_user)) -> AuthUserResponse:
return current_user
@router.get("/sessions", response_model=list[SessionRead])
async def list_sessions(current_user: User = Depends(get_current_user)) -> list[SessionRead]:
sessions = await list_user_sessions(current_user.id)
out: list[SessionRead] = []
for item in sessions:
out.append(
SessionRead(
jti=item.jti,
created_at=datetime.fromtimestamp(item.created_at, tz=timezone.utc),
ip_address=item.ip_address,
user_agent=item.user_agent,
)
)
return out
@router.delete("/sessions/{jti}", status_code=status.HTTP_204_NO_CONTENT)
async def revoke_session(jti: str, current_user: User = Depends(get_current_user)) -> None:
await revoke_user_session(user_id=current_user.id, jti=jti)
@router.delete("/sessions", status_code=status.HTTP_204_NO_CONTENT)
async def revoke_all_sessions(current_user: User = Depends(get_current_user)) -> None:
await revoke_all_user_sessions(user_id=current_user.id)