feat: show deleted user sessions (#8749)

frontend/src/component/user/HostedAuth.tsx

@@ -12,6 +12,7 @@ import { LOGIN_BUTTON, LOGIN_EMAIL_ID, LOGIN_PASSWORD_ID } from 'utils/testIds';
 import type { IAuthEndpointDetailsResponse } from 'hooks/api/getters/useAuth/useAuthEndpoint';
 import { BadRequestError, NotFoundError } from 'utils/apiUtils';
 import { contentSpacingY } from 'themes/themeStyles';
+import useToast from 'hooks/useToast';
 
 interface IHostedAuthProps {
     authDetails: IAuthEndpointDetailsResponse;
@@ -47,6 +48,7 @@ const HostedAuth: VFC<IHostedAuthProps> = ({ authDetails, redirect }) => {
         passwordError?: string;
         apiError?: string;
     }>({});
+    const { setToastData } = useToast();
 
     const handleSubmit: FormEventHandler<HTMLFormElement> = async (evt) => {
         evt.preventDefault();
@@ -69,7 +71,18 @@ const HostedAuth: VFC<IHostedAuthProps> = ({ authDetails, redirect }) => {
         }
 
         try {
-            await passwordAuth(authDetails.path, username, password);
+            const data = await passwordAuth(
+                authDetails.path,
+                username,
+                password,
+            );
+            if (data.deletedSessions && data.activeSessions) {
+                setToastData({
+                    type: 'success',
+                    title: 'Maximum Session Limit Reached',
+                    text: `You can have up to ${data.activeSessions} active sessions at a time. To allow this login, we’ve logged out ${data.deletedSessions} session(s) from other browsers.`,
+                });
+            }
             refetchUser();
             navigate(redirect, { replace: true });
         } catch (error: any) {

frontend/src/component/user/PasswordAuth.tsx

@@ -17,6 +17,7 @@ import {
     NotFoundError,
 } from 'utils/apiUtils';
 import { contentSpacingY } from 'themes/themeStyles';
+import useToast from 'hooks/useToast';
 
 interface IPasswordAuthProps {
     authDetails: IAuthEndpointDetailsResponse;
@@ -46,6 +47,7 @@ const PasswordAuth: VFC<IPasswordAuthProps> = ({ authDetails, redirect }) => {
         passwordError?: string;
         apiError?: string;
     }>({});
+    const { setToastData } = useToast();
 
     const handleSubmit: FormEventHandler<HTMLFormElement> = async (evt) => {
         evt.preventDefault();
@@ -68,7 +70,19 @@ const PasswordAuth: VFC<IPasswordAuthProps> = ({ authDetails, redirect }) => {
         }
 
         try {
-            await passwordAuth(authDetails.path, username, password);
+            const data = await passwordAuth(
+                authDetails.path,
+                username,
+                password,
+            );
+            if (data.deletedSessions && data.activeSessions) {
+                setToastData({
+                    type: 'success',
+                    title: 'Maximum Session Limit Reached',
+                    text: `You can have up to ${data.activeSessions} active sessions at a time. To allow this login, we’ve logged out ${data.deletedSessions} session(s) from other browsers.`,
+                });
+            }
+
             refetchUser();
             navigate(redirect, { replace: true });
         } catch (error: any) {

frontend/src/hooks/api/actions/useAuthApi/useAuthApi.tsx

@@ -1,11 +1,12 @@
 import { headers } from 'utils/apiUtils';
 import useAPI from '../useApi/useApi';
+import type { UserSchema } from 'openapi';
 
 type PasswordLogin = (
     path: string,
     username: string,
     password: string,
-) => Promise<Response>;
+) => Promise<UserSchema>;
 
 type EmailLogin = (path: string, email: string) => Promise<Response>;
 
@@ -21,7 +22,11 @@ export const useAuthApi = (): IUseAuthApiOutput => {
         propagateErrors: true,
     });
 
-    const passwordAuth = (path: string, username: string, password: string) => {
+    const passwordAuth = async (
+        path: string,
+        username: string,
+        password: string,
+    ): Promise<UserSchema> => {
         const req = {
             caller: () => {
                 return fetch(path, {
@@ -33,7 +38,10 @@ export const useAuthApi = (): IUseAuthApiOutput => {
             id: 'passwordAuth',
         };
 
-        return makeRequest(req.caller, req.id);
+        const res = await makeRequest(req.caller, req.id);
+        const data = await res.json();
+
+        return data;
     };
 
     const emailAuth = (path: string, email: string) => {

frontend/src/openapi/models/userSchema.ts

@@ -59,4 +59,6 @@ export interface UserSchema {
      * @nullable
      */
     username?: string | null;
+    deletedSessions?: number;
+    activeSessions?: number;
 }

src/lib/openapi/spec/user-schema.ts

@@ -105,6 +105,12 @@ export const userSchema = {
             nullable: true,
             example: 2,
         },
+        deletedSessions: {
+            description:
+                'Experimental. The number of deleted browser sessions after last login',
+            type: 'number',
+            example: 1,
+        },
     },
     components: {},
 } as const;

src/lib/services/session-service.ts

@@ -36,7 +36,7 @@ export default class SessionService {
     async deleteStaleSessionsForUser(
         userId: number,
         maxSessions: number,
-    ): Promise<void> {
+    ): Promise<number> {
         const userSessions: ISession[] =
             await this.sessionStore.getSessionsForUser(userId);
         const newestFirst = userSessions.sort((a, b) =>
@@ -48,6 +48,7 @@ export default class SessionService {
                 this.sessionStore.delete(session.sid),
             ),
         );
+        return sessionsToDelete.length;
     }
 
     async deleteSession(sid: string): Promise<void> {

src/lib/services/user-service.ts

@@ -425,10 +425,13 @@ class UserService {
                         deleteStaleUserSessions.payload?.value || 30,
                     );
                     // subtract current user session that will be created
-                    await this.sessionService.deleteStaleSessionsForUser(
-                        user.id,
-                        Math.max(allowedSessions - 1, 0),
-                    );
+                    const deletedSessionsCount =
+                        await this.sessionService.deleteStaleSessionsForUser(
+                            user.id,
+                            Math.max(allowedSessions - 1, 0),
+                        );
+                    user.deletedSessions = deletedSessionsCount;
+                    user.activeSessions = allowedSessions;
                 }
                 this.eventBus.emit(USER_LOGIN, { loginOrder });
                 return user;

src/lib/types/user.ts

@@ -31,6 +31,8 @@ export interface IUser {
     imageUrl?: string;
     accountType?: AccountType;
     scimId?: string;
+    deletedSessions?: number;
+    activeSessions?: number;
 }
 
 export type MinimalUser = Pick<

src/test/e2e/services/user-service.e2e.test.ts

@@ -18,6 +18,7 @@ import PasswordMismatch from '../../../lib/error/password-mismatch';
 import type { EventService } from '../../../lib/services';
 import {
     CREATE_ADDON,
+    type IFlagResolver,
     type IUnleashStores,
     type IUserStore,
     SYSTEM_USER_AUDIT,
@@ -45,6 +46,8 @@ let eventService: EventService;
 let accessService: AccessService;
 let eventBus: EventEmitter;
 
+const allowedSessions = 2;
+
 beforeAll(async () => {
     db = await dbInit('user_service_serial', getLogger);
     stores = db.stores;
@@ -63,14 +66,31 @@ beforeAll(async () => {
     sessionService = new SessionService(stores, config);
     settingService = new SettingService(stores, config, eventService);
 
-    userService = new UserService(stores, config, {
-        accessService,
-        resetTokenService,
-        emailService,
-        eventService,
-        sessionService,
-        settingService,
-    });
+    const flagResolver = {
+        isEnabled() {
+            return true;
+        },
+        getVariant() {
+            return {
+                feature_enabled: true,
+                payload: {
+                    value: String(allowedSessions),
+                },
+            };
+        },
+    } as unknown as IFlagResolver;
+    userService = new UserService(
+        stores,
+        { ...config, flagResolver },
+        {
+            accessService,
+            resetTokenService,
+            emailService,
+            eventService,
+            sessionService,
+            settingService,
+        },
+    );
     userStore = stores.userStore;
     const rootRoles = await accessService.getRootRoles();
     adminRole = rootRoles.find((r) => r.name === RoleName.ADMIN)!;
@@ -95,8 +115,9 @@ afterAll(async () => {
     await db.destroy();
 });
 
-afterEach(async () => {
+beforeEach(async () => {
     await userStore.deleteAll();
+    await settingService.deleteAll();
 });
 
 test('should create initial admin user', async () => {
@@ -361,6 +382,43 @@ test("deleting a user should delete the user's sessions", async () => {
     expect(noSessions.length).toBe(0);
 });
 
+test('user login should remove stale sessions', async () => {
+    const email = 'some@test.com';
+    const user = await userService.createUser(
+        {
+            email,
+            password: 'A very strange P4ssw0rd_',
+            rootRole: adminRole.id,
+        },
+        TEST_AUDIT_USER,
+    );
+    const userSession = (index: number) => ({
+        sid: `sid${index}`,
+        sess: {
+            cookie: {
+                originalMaxAge: minutesToMilliseconds(48),
+                expires: addDays(Date.now(), 1).toDateString(),
+                secure: false,
+                httpOnly: true,
+                path: '/',
+            },
+            user,
+        },
+    });
+
+    for (let i = 0; i < allowedSessions; i++) {
+        await sessionService.insertSession(userSession(i));
+    }
+
+    const loggedInUser = await userService.loginUser(
+        email,
+        'A very strange P4ssw0rd_',
+    );
+
+    expect(loggedInUser.deletedSessions).toBe(1);
+    expect(loggedInUser.activeSessions).toBe(allowedSessions);
+});
+
 test('updating a user without an email should not strip the email', async () => {
     const email = 'some@test.com';
     const user = await userService.createUser(