Skip to content

feat: revoke (unlink) device via DELETE /devices/:id#210

Open
Andreschuks101 wants to merge 1 commit into
codebestia:mainfrom
Andreschuks101:feature/157-revoke-device
Open

feat: revoke (unlink) device via DELETE /devices/:id#210
Andreschuks101 wants to merge 1 commit into
codebestia:mainfrom
Andreschuks101:feature/157-revoke-device

Conversation

@Andreschuks101

@Andreschuks101 Andreschuks101 commented Jun 25, 2026

Copy link
Copy Markdown

Revoke (unlink) a device — DELETE /devices/:id

closes #157

Soft-revokes a device and tears down all of its access across the cluster.

Changes

  • Schema/migration: new devices (revokedAt, publicKey, lastSeenAt) and
    device_prekeys tables, relations, types, and migration 0007_device_revocation.
  • DELETE /devices/:id: stamps revokedAt, deletes the device's prekeys,
    disconnects its live sockets, publishes device_revoked on the Redis bus, and
    emits a key_change notice to peers in shared conversations.
  • GET /devices: lists the caller's devices.
  • Revocation service: persistence runs in a transaction; the "last active
    device" rule is enforced atomically inside the UPDATE so concurrent revokes
    cannot remove a user's final device.
  • Socket layer: sockets bind to a per-device room on connect; a revoked or
    foreign device is refused at connection time, excluding it from future fan-out.
    A Redis bus subscriber tears down device sockets on every instance.

Behaviour / acceptance criteria

  • revokedAt set; prekeys removed; live sockets disconnected.
  • Revoked device excluded from future fan-out (leaves its room, rejected on reconnect).
  • Revoking the only active device returns 409.
  • Peers in shared conversations receive a key_change event.

Testing

  • New unit tests for the route and the revocation service (ownership, already-revoked,
    last-device 409, success path, concurrent-revoke race, socket disconnect, peer
    notification, bus publish).
  • Full backend suite passes (109 tests); lint and prettier clean.

Notes

  • Clients pass deviceId in the Socket.IO handshake auth to bind a socket to a device.
  • Device/prekey registration endpoints are out of scope for this issue (revocation only).

@drips-wave

drips-wave Bot commented Jun 25, 2026

Copy link
Copy Markdown

@Andreschuks101 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

DELETE /devices/:id — revoke (unlink) a device

1 participant

@Andreschuks101