WIP

apps/client/public/locales/en-US/translation.json

@@ -716,5 +716,12 @@
   "Unknown device": "Unknown device",
   "No active sessions": "No active sessions",
   "Session revoked": "Session revoked",
-  "All other sessions revoked": "All other sessions revoked"
+  "All other sessions revoked": "All other sessions revoked",
+  "Last used": "Last used",
+  "Created": "Created",
+  "Rename": "Rename",
+  "Publish": "Publish",
+  "Security": "Security",
+  "Enforce SSO": "Enforce SSO",
+  "Once enforced, members will not be able to login with email and password.": "Once enforced, members will not be able to login with email and password."
 }

apps/server/src/core/auth/auth.controller.ts

@@ -212,6 +212,7 @@ export class AuthController {
   setAuthCookie(res: FastifyReply, token: string) {
     res.setCookie('authToken', token, {
       httpOnly: true,
+      sameSite: 'lax',
       path: '/',
       expires: this.environmentService.getCookieExpiresIn(),
       secure: this.environmentService.isHttps(),

apps/server/src/core/session/session.service.ts

@@ -51,7 +51,6 @@ export class SessionService {
     const mapped = sessions.map((s) => ({
       id: s.id,
       deviceName: s.deviceName,
-      ipAddress: s.ipAddress,
       geoLocation: s.geoLocation,
       lastActiveAt: s.lastActiveAt,
       createdAt: s.createdAt,

apps/server/src/core/workspace/services/workspace.service.ts

@@ -669,13 +669,15 @@ export class WorkspaceService {
       }
     }
 
-    await this.userRepo.updateUser(
+    await executeTx(this.db, async (trx) => {
-      { deactivatedAt: new Date() },
+      await this.userRepo.updateUser(
-      userId,
+        { deactivatedAt: new Date() },
-      workspaceId,
+        userId,
-    );
+        workspaceId,
-
+        trx,
-    await this.userSessionRepo.revokeByUserId(userId, workspaceId);
+      );
+      await this.userSessionRepo.revokeByUserId(userId, workspaceId, trx);
+    });
 
     this.auditService.log({
       event: AuditEvent.USER_DEACTIVATED,
@@ -789,9 +791,9 @@ export class WorkspaceService {
       await this.watcherRepo.deleteByUserAndWorkspace(userId, workspaceId, {
         trx,
       });
-    });
 
-    await this.userSessionRepo.revokeByUserId(userId, workspaceId);
+      await this.userSessionRepo.revokeByUserId(userId, workspaceId, trx);
+    });
 
     this.auditService.log({
       event: AuditEvent.USER_DELETED,

apps/server/src/database/migrations/20260326T121350-user-sessions.ts

@@ -20,6 +20,7 @@ export async function up(db: Kysely<any>): Promise<void> {
       col.notNull().defaultTo(sql`now()`),
     )
     .addColumn('expires_at', 'timestamptz', (col) => col.notNull())
+    .addColumn('metadata', 'jsonb')
     .addColumn('revoked_at', 'timestamptz')
     .addColumn('created_at', 'timestamptz', (col) =>
       col.notNull().defaultTo(sql`now()`),

apps/server/src/database/repos/session/user-session.repo.ts

@@ -89,8 +89,10 @@ export class UserSessionRepo {
   async revokeByUserId(
     userId: string,
     workspaceId: string,
+    trx?: KyselyTransaction,
   ): Promise<void> {
-    await this.db
+    const db = dbOrTx(this.db, trx);
+    await db
       .updateTable('userSessions')
       .set({ revokedAt: new Date() })
       .where('userId', '=', userId)

apps/server/src/database/types/db.d.ts

@@ -437,6 +437,7 @@ export interface UserSessions {
   userAgent: string | null;
   ipAddress: string | null;
   geoLocation: string | null;
+  metadata: Json | null;
   lastActiveAt: Generated<Timestamp>;
   expiresAt: Timestamp;
   revokedAt: Timestamp | null;