feat(sessions): implement session management backend

mondyagu abhilashrequested to merge
feat/session-management into develop

Title (semantic)

feat(sessions): implement device detection and session management backend

Description

This merge request implements backend session management.

Adds automated session tracking to the backend. When a user logs in, their session is captured and stored including device OS, browser, IP address and last active time. Three new API endpoints allow users to view and manage all their active login sessions, including the ability to remotely sign out of specific devices.

Previously, users had no way to view or manage their active sessions. This MR solves that by automatically capturing session info on login and persisting it to a new sessions table in the database.

What was changed

  • Added new sessions database table via migration
  • Added new Session model with fields: id, user_id, token_hash, device_os, device_browser, device_type, ip_address, last_active_at, created_at
  • Updated POST /api/v1/auth/login to:
    • Save session row with device info and ip_address on login
    • Store SHA-256 hash of token, never raw token
  • Updated auth middleware to:
    • Validate token against sessions table on every request
    • Return 401 immediately if session row was deleted
    • Update last_active_at (max once per 60 seconds)
  • Added 3 new session endpoints: GET /api/v1/sessions/ List all active sessions DELETE /api/v1/sessions/ Sign out all other devices DELETE /api/v1/sessions/{session_id} Sign out specific session

New API Endpoints

Method Endpoint Description Auth
GET /api/v1/sessions/ List all active sessions for logged in user Required
DELETE /api/v1/sessions/ Sign out of all other devices Required
DELETE /api/v1/sessions/{session_id} Sign out a specific session Required

GET /api/v1/sessions/ response shape

{ "sessions": [ { "id": "uuid", "device_os": "Linux", "device_browser": "Chrome 124", "device_type": "desktop", "ip_address": "172.18.0.1", "last_active_at": "2026-05-21T04:32:17Z", "created_at": "2026-05-21T04:32:17Z", "is_current": true } ], "total_devices": 1 }

How to Test

  1. Pull this branch and run migrations: alembic upgrade head

  2. Open Swagger at http://localhost:8000/docs

  3. Login via POST /api/v1/auth/login: { "phone": "your_phone", "password": "yourpassword" } Copy the access_token from response.

  4. Click Authorize in Swagger and paste: Bearer <your_token>

  5. Test GET /api/v1/sessions/ Expected: returns session list with is_current: true and correct device info

  6. Test DELETE /api/v1/sessions/{session_id} Paste a session id from step 5 Expected: { "message": "Session signed out successfully" }

  7. Test DELETE /api/v1/sessions/ Expected: { "message": "Signed out of all other devices" }

  8. Verify remote sign out works: Log in from two different sessions. Delete one session. Use that deleted session token in a request. Expected: 401 Unauthorized

Security Considerations

  • Token always stored as SHA-256 hash, never raw token
  • Sessions always filtered by current_user.id
  • Users can never access or delete another user's sessions
  • Auth middleware checks DB on every request so remote sign out takes effect immediately on next API call
  • ip_address captured server side, never trusted from client

Screenshots

Screenshot_from_2026-05-21_10-05-07

Screenshot_from_2026-05-21_10-04-28

Screenshot_from_2026-05-21_10-04-19

Checklist

  • The feature has been fully implemented.
  • Tests for the new feature are included and passing.
  • User documentation/guides have been updated (if applicable).
  • Impact on existing functionality has been considered.

Related Issue(s)

Closes #

Edited by mondyagu abhilash

Merge request reports