Session management: list active sessions, force logout, token revocation #85

New Issue

Open

opened 2026-03-17 19:15:19 +01:00 by claude · 0 comments

claude commented 2026-03-17 19:15:19 +01:00

Owner

Copy Link

Context

JWTs are stateless — once issued, they cannot be revoked until expiry. There is no way for an admin to:

• See who is currently logged in
• Force-logout a user (e.g., after removing their roles or deleting their account)
• Invalidate all tokens for a specific user

Requirements

Token revocation

• Maintain a server-side revocation list (e.g., revoked_tokens table or Redis set)
• JwtAuthenticationFilter checks revocation list on each request
• Revocation entries expire after the token's max TTL (no unbounded growth)

Admin API

• GET /api/v1/admin/sessions — list active sessions (users with non-expired tokens)
• DELETE /api/v1/admin/sessions/{userId} — revoke all tokens for a user (force logout)
• DELETE /api/v1/admin/sessions — revoke all sessions (emergency)

Automatic revocation triggers

• When a user is deleted, revoke their tokens
• When roles are removed from a user, optionally revoke tokens so the new role set takes effect immediately (otherwise waits for token refresh)

UI

• Session list in admin area showing active users, login time, token expiry
• "Force logout" button per user
• "Logout all users" emergency button

Notes

• Current token TTL should be checked — shorter access tokens reduce the window where revocation matters
• Consider: is a database-backed revocation list acceptable for performance, or does this need Redis/in-memory?
• Alternative lightweight approach: store a token_invalidated_at timestamp per user; reject tokens issued before that timestamp

## Context JWTs are stateless — once issued, they cannot be revoked until expiry. There is no way for an admin to: - See who is currently logged in - Force-logout a user (e.g., after removing their roles or deleting their account) - Invalidate all tokens for a specific user ## Requirements ### Token revocation - Maintain a server-side revocation list (e.g., `revoked_tokens` table or Redis set) - `JwtAuthenticationFilter` checks revocation list on each request - Revocation entries expire after the token's max TTL (no unbounded growth) ### Admin API - `GET /api/v1/admin/sessions` — list active sessions (users with non-expired tokens) - `DELETE /api/v1/admin/sessions/{userId}` — revoke all tokens for a user (force logout) - `DELETE /api/v1/admin/sessions` — revoke all sessions (emergency) ### Automatic revocation triggers - When a user is deleted, revoke their tokens - When roles are removed from a user, optionally revoke tokens so the new role set takes effect immediately (otherwise waits for token refresh) ### UI - Session list in admin area showing active users, login time, token expiry - "Force logout" button per user - "Logout all users" emergency button ## Notes - Current token TTL should be checked — shorter access tokens reduce the window where revocation matters - Consider: is a database-backed revocation list acceptable for performance, or does this need Redis/in-memory? - Alternative lightweight approach: store a `token_invalidated_at` timestamp per user; reject tokens issued before that timestamp

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

v0.0.2

v0.0.1

Labels

Clear labels

accessibility

Accessibility (a11y) improvements

bug

Something isn't working correctly

cleanup

Code cleanup, dead code removal, refactoring

epic

Epic: groups related issues

feature

New functionality

pmf

Product-market fit: critical for first market offer

route-diagram

Route diagram page and execution overlay

security

Authentication, authorization, RBAC

ui

Frontend / React UI

ux

UX/usability improvements

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claude

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: cameleer/cameleer-server#85