feat: implement device detection and session management backend
Title (semantic)
feat(sessions): implement device detection and session management backend
Description
This merge request implements a new feature.
Adds automated session tracking to the backend. When a user logs in, device information (OS, browser, CPU, RAM, internet speed) is captured and stored against their session. Three new API endpoints allow users to view and manage all their active login sessions, including the ability to remotely sign out of specific devices.
Previously, users had to manually enter their device details in their profile which was inaccurate and poor UX. This MR solves that by capturing device info automatically on login and persisting it to a new sessions table in the database.
What was changed
- Added new
sessionsdatabase table via migration - Added new
Sessionmodel with fields: id, user_id, token_hash, os, browser, cpu_cores, ram_gb, internet_speed_mbps, ip_address, last_active_at, created_at - Updated
POST /api/v1/auth/loginto:- Accept optional device_info in request body
- Save session row with device info and ip_address on login
- Store SHA-256 hash of token, never raw token
- Updated auth middleware to:
- Validate token against sessions table on every request
- Return 401 immediately if session row was deleted
- Update last_active_at (max once per 60 seconds)
- Added 3 new session endpoints: GET /api/v1/sessions/ List all active sessions DELETE /api/v1/sessions/ Sign out all other devices DELETE /api/v1/sessions/{session_id} Sign out specific session
New API Endpoints
| Method | Endpoint | Description | Auth |
|---|---|---|---|
| GET | /api/v1/sessions/ |
List all active sessions for logged in user | Required |
| DELETE | /api/v1/sessions/ |
Sign out of all other devices | Required |
| DELETE | /api/v1/sessions/{session_id} |
Sign out a specific session | Required |
GET /api/v1/sessions/ response shape
{ "sessions": [ { "id": "uuid", "os": "Linux", "browser": "Chrome 124", "ip_address": "172.18.0.1", "cpu_cores": 8, "ram_gb": 8.0, "internet_speed_mbps": 45.2, "last_active_at": "2026-05-21T04:32:17Z", "created_at": "2026-05-21T04:32:17Z", "is_current": true } ] }
How to Test
-
Pull this branch and run migrations: python manage.py migrate or alembic upgrade head
-
Open Swagger at http://localhost:8000/docs
-
Login via POST /api/v1/auth/login with device_info: { "email": "[email protected]", "password": "yourpassword", "device_info": { "os": "Linux", "browser": "Chrome 124", "cpu_cores": 8, "ram_gb": 8, "internet_speed_mbps": 45.2 } } Copy the access_token from response.
-
Click Authorize in Swagger and paste: Bearer <your_token>
-
Test GET /api/v1/sessions/ Expected: returns session list with is_current: true and correct device info values
-
Test DELETE /api/v1/sessions/{session_id} Paste a session id from step 5 Expected: { "message": "Session signed out successfully" }
-
Test DELETE /api/v1/sessions/ Expected: { "message": "Signed out of all other devices" }
-
Verify remote sign out works: Log in from two different sessions. Delete one session. Use that deleted session token in a request. Expected: 401 Unauthorized
Security Considerations
- Token is always stored as SHA-256 hash, never as raw token
- Sessions are always filtered by current_user.id — users can never access or delete another user's sessions
- Auth middleware checks DB on every request so remote sign out takes effect immediately on next API call
- ip_address is captured server side from request, never trusted from client
Screenshots
Checklist
-
The feature has been fully implemented. -
Tests for the new feature are included and passing. -
User documentation/guides have been updated (if applicable). -
Impact on existing functionality has been considered.
Related Issue(s)
Closes #