feat: implement user session management with jwt and database persistence#1212
Open
Tha-Orakkle wants to merge 29 commits intohngprojects:devfrom
Open
feat: implement user session management with jwt and database persistence#1212Tha-Orakkle wants to merge 29 commits intohngprojects:devfrom
Tha-Orakkle wants to merge 29 commits intohngprojects:devfrom
Conversation
samuelogboye
requested changes
Mar 2, 2025
Contributor
samuelogboye
left a comment
samuelogboye
left a comment
There was a problem hiding this comment.
Ensure comprehensive testing of the session management system, especially edge cases like concurrent session access and token revocation.
Then make sure all test are passing(currently the CI is failing)
Tha-Orakkle
force-pushed
the
feat/user-session-mgt
branch
from
458ddad to
b21aa38
Compare
Tha-Orakkle
force-pushed
the
feat/user-session-mgt
branch
from
183bb75 to
2940aa4
Compare
Author
|
I have refactored the get_session_schema_data to function asynchronously to prevent latency. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR introduces a comprehensive user session management system. It allows users to see the different devices signed into their account -including their locations- and provides a way to log out from all or specific devices.
Features
The key enhancements include:
Active Session Tracking: Each issued JWT refresh token is stored in the database with associated metadata such as user ID, device details, IP address, expires_at, and location.
Session Revocation: Users can view and selectively revoke active sessions, enabling logout from specific devices without affecting other sessions.
Enhanced Security: By maintaining a centralized session store, compromised tokens can be individually invalidated, reducing potential security risks.
Regular DB Management: Every Sunday midnight, expired and revoked tokens are removed from the db.
Related Issue (Link to issue ticket)
#1061
Motivation and Context
Implementing session management enhances user experience by providing control over active sessions and improves security by allowing precise token invalidation. This aligns with best practices for authentication systems, addressing the current limitations where JWTs are stateless and lack centralized management.
How Has This Been Tested?
The following testing strategies were employed
Integration Tests: Simulated user authentication workflows to verify that session data is accurately recorded and managed.
Manual Testing: Performed using Postman to validate endpoints for session management, including edge cases like attempting to revoke already invalidated tokens.
Types of changes
Checklist: