Invalidate all sessions by keeping track of session revision

Soxasora · Soxasora · commit e2738947ffb2 · 2025-02-21T12:45:14.000+01:00
diff --git a/api/resolvers/user.js b/api/resolvers/user.js
@@ -898,6 +898,14 @@ export default {
 
       await models.user.update({ where: { id: me.id }, data: { hideWelcomeBanner: true } })
       return true
+    },
+    invalidateSessions: async (parent, args, { me, models }) => {
+      if (!me) {
+        throw new GqlAuthenticationError()
+      }
+
+      await models.user.update({ where: { id: me.id }, data: { sessionRev: { increment: 1 } } })
+      return true
     }
   },
 
diff --git a/api/typeDefs/user.js b/api/typeDefs/user.js
@@ -44,6 +44,7 @@ export default gql`
     generateApiKey(id: ID!): String
     deleteApiKey(id: ID!): User
     disableFreebies: Boolean
+    invalidateSessions: Boolean
   }
 
   type User {
@@ -197,6 +198,7 @@ export default gql`
     walletsUpdatedAt: Date
     proxyReceive: Boolean
     directReceive: Boolean
+    sessionRev: Int
     receiveCreditsBelowSats: Int!
     sendCreditsBelowSats: Int!
   }
diff --git a/fragments/users.js b/fragments/users.js
@@ -54,6 +54,7 @@ ${STREAK_FIELDS}
       walletsUpdatedAt
       proxyReceive
       directReceive
+      sessionRev
     }
     optional {
       isContributor
@@ -117,6 +118,7 @@ export const SETTINGS_FIELDS = gql`
       apiKeyEnabled
       proxyReceive
       directReceive
+      sessionRev
       receiveCreditsBelowSats
       sendCreditsBelowSats
     }
diff --git a/pages/api/auth/[...nextauth].js b/pages/api/auth/[...nextauth].js
@@ -98,6 +98,7 @@ function getCallbacks (req, res) {
         // token won't have an id on it for new logins, we add it
         // note: token is what's kept in the jwt
         token.id = Number(user.id)
+        token.sessionRev = user.sessionRev || 0
 
         // if referrer exists, set on user
         // isNewUser doesn't work for nostr/lightning auth because we create the user before nextauth can
@@ -143,6 +144,11 @@ function getCallbacks (req, res) {
       // and returns a new object session that's returned whenever get|use[Server]Session is called
       session.user.id = token.id
 
+      // invalidate this session if session revision mismatch
+      session.user.sessionRev = token.sessionRev || 0 // if no sessionRev, set to 0, the user will have one after login
+      const sessionRev = await prisma.user.findUnique({ where: { id: session.user.id }, select: { sessionRev: true } })
+      if (session.user.sessionRev !== sessionRev?.sessionRev) return {}
+
       return session
     }
   }
diff --git a/pages/settings/index.js b/pages/settings/index.js
@@ -8,6 +8,7 @@ import { useState, useMemo } from 'react'
 import { gql, useMutation, useQuery } from '@apollo/client'
 import { getGetServerSideProps } from '@/api/ssrApollo'
 import LoginButton from '@/components/login-button'
+import LogoutObstacle from '@/components/nav/common'
 import { signIn } from 'next-auth/react'
 import { LightningAuth } from '@/components/lightning-auth'
 import { SETTINGS, SET_SETTINGS } from '@/fragments/users'
@@ -886,6 +887,7 @@ function AuthMethods ({ methods, apiKeyEnabled }) {
           )
         }
       })}
+      <InvalidateSessions />
       <ApiKey apiKey={methods.apiKey} enabled={apiKeyEnabled} />
     </>
   )
@@ -1188,3 +1190,29 @@ const TipRandomField = () => {
     </>
   )
 }
+
+const InvalidateSessions = () => {
+  const showModal = useShowModal()
+  const router = useRouter()
+
+  const [invalidateSessions] = useMutation(gql`
+    mutation invalidateSessions {
+      invalidateSessions
+    }`
+  )
+
+  return (
+    <Button
+      variant='danger'
+      onClick={async () => {
+        const { data } = await invalidateSessions()
+        if (data.invalidateSessions) {
+          // TODO: Invalidate Sessions Obstacle
+          showModal(onClose => (router.push('/')))
+        }
+      }}
+    >
+      Invalidate Sessions
+    </Button>
+  )
+}
diff --git a/prisma/migrations/20250221103652_invalidate_sessions/migration.sql b/prisma/migrations/20250221103652_invalidate_sessions/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "users" ADD COLUMN     "sessionRev" INTEGER NOT NULL DEFAULT 0;
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
@@ -123,6 +123,7 @@ model User {
   mcredits                  BigInt               @default(0)
   receiveCreditsBelowSats   Int                  @default(10)
   sendCreditsBelowSats      Int                  @default(10)
+  sessionRev                Int                  @default(0)
   muters                    Mute[]               @relation("muter")
   muteds                    Mute[]               @relation("muted")
   ArcOut                    Arc[]                @relation("fromUser")

Original file line number	Diff line number	Diff line change
@@ -44,6 +44,7 @@ export default gql`
`44`	`44`	`generateApiKey(id: ID!): String`
`45`	`45`	`deleteApiKey(id: ID!): User`
`46`	`46`	`disableFreebies: Boolean`
	`47`	`+ invalidateSessions: Boolean`
`47`	`48`	`}`
`48`	`49`
`49`	`50`	`type User {`
@@ -197,6 +198,7 @@ export default gql`
`197`	`198`	`walletsUpdatedAt: Date`
`198`	`199`	`proxyReceive: Boolean`
`199`	`200`	`directReceive: Boolean`
	`201`	`+ sessionRev: Int`
`200`	`202`	`receiveCreditsBelowSats: Int!`
`201`	`203`	`sendCreditsBelowSats: Int!`
`202`	`204`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+-- AlterTable`
	`2`	`+ALTER TABLE "users" ADD COLUMN "sessionRev" INTEGER NOT NULL DEFAULT 0;`