user session management

2026-05-07 14:43:06 +08:00 · 2026-03-26 00:21:59 +00:00
parent 9125996e97
commit c6d2f0c6cc
29 changed files with 788 additions and 21 deletions
@@ -66,6 +66,7 @@
    "ai": "^6.0.134",
    "ai-sdk-ollama": "^3.8.1",
    "bcrypt": "^6.0.0",
+    "bowser": "^2.14.1",
    "bullmq": "^5.71.0",
    "cache-manager": "^7.2.8",
    "cheerio": "^1.2.0",
@@ -7,6 +7,7 @@ export interface AuditContext {
  actorId: string | null;
  actorType: 'user' | 'system' | 'api_key';
  ipAddress: string | null;
+  userAgent: string | null;
 }

 export const AUDIT_CONTEXT_KEY = 'auditContext';
@@ -19,11 +20,15 @@ export class AuditContextMiddleware implements NestMiddleware {
    const workspaceId = (req as any).workspaceId ?? null;
    const ipAddress = this.extractIpAddress(req);

+    const userAgent =
+      (req.headers['user-agent'] as string) ?? null;
+
    const auditContext: AuditContext = {
      workspaceId,
      actorId: null,
      actorType: 'user',
      ipAddress,
+      userAgent,
    };

    this.cls.set(AUDIT_CONTEXT_KEY, auditContext);
@@ -5,12 +5,14 @@ import {
  HttpStatus,
  Inject,
  Post,
+  Req,
  Res,
  UseGuards,
  Logger,
 } from '@nestjs/common';
 import { LoginDto } from './dto/login.dto';
 import { AuthService } from './services/auth.service';
+import { SessionService } from '../session/session.service';
 import { SetupGuard } from './guards/setup.guard';
 import { EnvironmentService } from '../../integrations/environment/environment.service';
 import { CreateAdminUserDto } from './dto/create-admin-user.dto';
@@ -22,7 +24,7 @@ import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
 import { ForgotPasswordDto } from './dto/forgot-password.dto';
 import { PasswordResetDto } from './dto/password-reset.dto';
 import { VerifyUserTokenDto } from './dto/verify-user-token.dto';
-import { FastifyReply } from 'fastify';
+import { FastifyReply, FastifyRequest } from 'fastify';
 import { validateSsoEnforcement } from './auth.util';
 import { ModuleRef } from '@nestjs/core';
 import { AuditEvent, AuditResource } from '../../common/events/audit-events';
@@ -37,6 +39,7 @@ export class AuthController {

  constructor(
    private authService: AuthService,
+    private sessionService: SessionService,
    private environmentService: EnvironmentService,
    private moduleRef: ModuleRef,
    @Inject(AUDIT_SERVICE) private readonly auditService: IAuditService,
@@ -115,8 +118,15 @@ export class AuthController {
    @Body() dto: ChangePasswordDto,
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
+    @Req() req: FastifyRequest,
  ) {
-    return this.authService.changePassword(dto, user.id, workspace.id);
+    const currentSessionId = (req.raw as any).sessionId;
+    return this.authService.changePassword(
+      dto,
+      user.id,
+      workspace.id,
+      currentSessionId,
+    );
  }

  @HttpCode(HttpStatus.OK)
@@ -178,8 +188,18 @@ export class AuthController {
  @Post('logout')
  async logout(
    @AuthUser() user: User,
+    @Req() req: FastifyRequest,
    @Res({ passthrough: true }) res: FastifyReply,
  ) {
+    const sessionId = (req.raw as any).sessionId;
+    if (sessionId) {
+      await this.sessionService.revokeSession(
+        sessionId,
+        user.id,
+        user.workspaceId,
+      );
+    }
+
    res.clearCookie('authToken');

    this.auditService.log({
@@ -11,6 +11,7 @@ export type JwtPayload = {
  email: string;
  workspaceId: string;
  type: 'access';
+  sessionId?: string;
 };

 export type JwtCollabPayload = {
@@ -8,6 +8,8 @@ import {
 import { LoginDto } from '../dto/login.dto';
 import { CreateUserDto } from '../dto/create-user.dto';
 import { TokenService } from './token.service';
+import { SessionService } from '../../session/session.service';
+import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
 import { SignupService } from './signup.service';
 import { CreateAdminUserDto } from '../dto/create-admin-user.dto';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
@@ -44,6 +46,8 @@ export class AuthService {
  constructor(
    private signupService: SignupService,
    private tokenService: TokenService,
+    private sessionService: SessionService,
+    private userSessionRepo: UserSessionRepo,
    private userRepo: UserRepo,
    private userTokenRepo: UserTokenRepo,
    private mailService: MailService,
@@ -90,19 +94,19 @@ export class AuthService {
      metadata: { source: 'password' },
    });

-    return this.tokenService.generateAccessToken(user);
+    return this.sessionService.createSessionAndToken(user);
  }

  async register(createUserDto: CreateUserDto, workspaceId: string) {
    const user = await this.signupService.signup(createUserDto, workspaceId);
-    return this.tokenService.generateAccessToken(user);
+    return this.sessionService.createSessionAndToken(user);
  }

  async setup(createAdminUserDto: CreateAdminUserDto) {
    const { workspace, user } =
      await this.signupService.initialSetup(createAdminUserDto);

-    const authToken = await this.tokenService.generateAccessToken(user);
+    const authToken = await this.sessionService.createSessionAndToken(user);
    return { workspace, authToken };
  }

@@ -110,6 +114,7 @@ export class AuthService {
    dto: ChangePasswordDto,
    userId: string,
    workspaceId: string,
+    currentSessionId?: string,
  ): Promise<void> {
    const user = await this.userRepo.findById(userId, workspaceId, {
      includePassword: true,
@@ -138,6 +143,16 @@ export class AuthService {
      workspaceId,
    );

+    if (currentSessionId) {
+      await this.userSessionRepo.deleteAllExceptCurrent(
+        currentSessionId,
+        userId,
+        workspaceId,
+      );
+    } else {
+      await this.userSessionRepo.deleteByUserId(userId, workspaceId);
+    }
+
    this.auditService.log({
      event: AuditEvent.USER_PASSWORD_CHANGED,
      resourceType: AuditResource.USER,
@@ -244,6 +259,8 @@ export class AuthService {
        .execute();
    });

+    await this.userSessionRepo.deleteByUserId(user.id, workspace.id);
+
    this.auditService.setActorId(user.id);
    this.auditService.log({
      event: AuditEvent.USER_PASSWORD_RESET,
@@ -276,7 +293,7 @@ export class AuthService {
      };
    }

-    const authToken = await this.tokenService.generateAccessToken(user);
+    const authToken = await this.sessionService.createSessionAndToken(user);
    return { authToken };
  }

@@ -25,7 +25,7 @@ export class TokenService {
    private environmentService: EnvironmentService,
  ) {}

-  async generateAccessToken(user: User): Promise<string> {
+  async generateAccessToken(user: User, sessionId: string): Promise<string> {
    if (isUserDisabled(user)) {
      throw new ForbiddenException();
    }
@@ -35,6 +35,7 @@ export class TokenService {
      email: user.email,
      workspaceId: user.workspaceId,
      type: JwtType.ACCESS,
+      sessionId,
    };
    return this.jwtService.sign(payload);
  }
@@ -5,6 +5,8 @@ import { EnvironmentService } from '../../../integrations/environment/environmen
 import { JwtApiKeyPayload, JwtPayload, JwtType } from '../dto/jwt-payload';
 import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
+import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
+import { SessionActivityService } from '../../session/session-activity.service';
 import { FastifyRequest } from 'fastify';
 import { extractBearerTokenFromHeader, isUserDisabled } from '../../../common/helpers';
 import { ModuleRef } from '@nestjs/core';
@@ -16,6 +18,8 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
  constructor(
    private userRepo: UserRepo,
    private workspaceRepo: WorkspaceRepo,
+    private userSessionRepo: UserSessionRepo,
+    private sessionActivityService: SessionActivityService,
    private readonly environmentService: EnvironmentService,
    private moduleRef: ModuleRef,
  ) {
@@ -57,6 +61,16 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
      throw new UnauthorizedException();
    }

+    if ((payload as JwtPayload).sessionId) {
+      const sessionId = (payload as JwtPayload).sessionId;
+      const session = await this.userSessionRepo.findActiveById(sessionId);
+      if (!session || session.userId !== payload.sub || session.workspaceId !== payload.workspaceId) {
+        throw new UnauthorizedException('Session revoked');
+      }
+      req.raw.sessionId = sessionId;
+      this.sessionActivityService.trackActivity(sessionId, payload.sub, payload.workspaceId);
+    }
+
    return { user, workspace };
  }

@@ -20,6 +20,7 @@ import { AuditContextMiddleware } from '../common/middlewares/audit-context.midd
 import { ShareModule } from './share/share.module';
 import { NotificationModule } from './notification/notification.module';
 import { WatcherModule } from './watcher/watcher.module';
+import { SessionModule } from './session/session.module';
 import { ClsMiddleware } from 'nestjs-cls';

@Module({
@@ -38,6 +39,7 @@ import { ClsMiddleware } from 'nestjs-cls';
    ShareModule,
    NotificationModule,
    WatcherModule,
+    SessionModule,
  ],
 })
 export class CoreModule implements NestModule {
@@ -0,0 +1,7 @@
+import { IsNotEmpty, IsUUID } from 'class-validator';
+
+export class RevokeSessionDto {
+  @IsUUID()
+  @IsNotEmpty()
+  sessionId: string;
+}
@@ -0,0 +1,36 @@
+import { Injectable } from '@nestjs/common';
+import { RedisService } from '@nestjs-labs/nestjs-ioredis';
+import type { Redis } from 'ioredis';
+import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
+import { UserRepo } from '@docmost/db/repos/user/user.repo';
+
+const THROTTLE_SECONDS = 15 * 60; // 15 minutes
+
+@Injectable()
+export class SessionActivityService {
+  private readonly redis: Redis;
+
+  constructor(
+    private readonly redisService: RedisService,
+    private readonly userSessionRepo: UserSessionRepo,
+    private readonly userRepo: UserRepo,
+  ) {
+    this.redis = this.redisService.getOrThrow();
+  }
+
+  trackActivity(sessionId: string, userId: string, workspaceId: string): void {
+    const key = `session:activity:${sessionId}`;
+
+    this.redis
+      .set(key, '1', 'EX', THROTTLE_SECONDS, 'NX')
+      .then((result) => {
+        if (result === null) return; // key already exists, throttled
+
+        this.userSessionRepo.updateLastActiveAt(sessionId).catch(() => {});
+        this.userRepo
+          .updateUser({ lastActiveAt: new Date() }, userId, workspaceId)
+          .catch(() => {});
+      })
+      .catch(() => {});
+  }
+}
@@ -0,0 +1,80 @@
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  HttpCode,
+  HttpStatus,
+  Post,
+  Req,
+  UseGuards,
+} from '@nestjs/common';
+import { SessionService } from './session.service';
+import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
+import { AuthUser } from '../../common/decorators/auth-user.decorator';
+import { AuthWorkspace } from '../../common/decorators/auth-workspace.decorator';
+import { User, Workspace } from '@docmost/db/types/entity.types';
+import { RevokeSessionDto } from './dto/revoke-session.dto';
+import { FastifyRequest } from 'fastify';
+
+@UseGuards(JwtAuthGuard)
+@Controller('sessions')
+export class SessionController {
+  constructor(private readonly sessionService: SessionService) {}
+
+  @HttpCode(HttpStatus.OK)
+  @Post()
+  async listSessions(
+    @AuthUser() user: User,
+    @AuthWorkspace() workspace: Workspace,
+    @Req() req: FastifyRequest,
+  ) {
+    const currentSessionId = (req.raw as any).sessionId ?? null;
+    const sessions = await this.sessionService.getActiveSessions(
+      user.id,
+      workspace.id,
+      currentSessionId,
+    );
+    return { sessions };
+  }
+
+  @HttpCode(HttpStatus.OK)
+  @Post('revoke')
+  async revokeSession(
+    @Body() dto: RevokeSessionDto,
+    @AuthUser() user: User,
+    @AuthWorkspace() workspace: Workspace,
+    @Req() req: FastifyRequest,
+  ) {
+    const currentSessionId = (req.raw as any).sessionId;
+    if (dto.sessionId === currentSessionId) {
+      throw new BadRequestException(
+        'Cannot revoke current session. Use logout instead.',
+      );
+    }
+    await this.sessionService.revokeSession(
+      dto.sessionId,
+      user.id,
+      workspace.id,
+    );
+  }
+
+  @HttpCode(HttpStatus.OK)
+  @Post('revoke-all')
+  async revokeAllSessions(
+    @AuthUser() user: User,
+    @AuthWorkspace() workspace: Workspace,
+    @Req() req: FastifyRequest,
+  ) {
+    const currentSessionId = (req.raw as any).sessionId;
+    if (!currentSessionId) {
+      throw new BadRequestException(
+        'Current session not found. Please log in again.',
+      );
+    }
+    await this.sessionService.revokeAllOtherSessions(
+      currentSessionId,
+      user.id,
+      workspace.id,
+    );
+  }
+}
@@ -0,0 +1,14 @@
+import { Global, Module } from '@nestjs/common';
+import { SessionService } from './session.service';
+import { SessionActivityService } from './session-activity.service';
+import { SessionController } from './session.controller';
+import { TokenModule } from '../auth/token.module';
+
+@Global()
+@Module({
+  imports: [TokenModule],
+  controllers: [SessionController],
+  providers: [SessionService, SessionActivityService],
+  exports: [SessionService, SessionActivityService],
+})
+export class SessionModule {}
@@ -0,0 +1,111 @@
+import { Injectable } from '@nestjs/common';
+import { TokenService } from '../auth/services/token.service';
+import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
+import { EnvironmentService } from '../../integrations/environment/environment.service';
+import { User } from '@docmost/db/types/entity.types';
+import { ClsService } from 'nestjs-cls';
+import {
+  AuditContext,
+  AUDIT_CONTEXT_KEY,
+} from '../../common/middlewares/audit-context.middleware';
+import * as Bowser from 'bowser';
+
+@Injectable()
+export class SessionService {
+  constructor(
+    private readonly tokenService: TokenService,
+    private readonly userSessionRepo: UserSessionRepo,
+    private readonly environmentService: EnvironmentService,
+    private readonly cls: ClsService,
+  ) {}
+
+  async createSessionAndToken(user: User): Promise<string> {
+    const auditContext = this.cls.get<AuditContext>(AUDIT_CONTEXT_KEY);
+    const ipAddress = auditContext?.ipAddress ?? null;
+    const userAgent = auditContext?.userAgent ?? null;
+
+    const deviceName = this.parseDeviceName(userAgent);
+    const expiresAt = this.environmentService.getCookieExpiresIn();
+
+    const session = await this.userSessionRepo.insertSession({
+      userId: user.id,
+      workspaceId: user.workspaceId,
+      deviceName,
+      ipAddress,
+      expiresAt,
+    });
+
+    return this.tokenService.generateAccessToken(user, session.id);
+  }
+
+  async getActiveSessions(
+    userId: string,
+    workspaceId: string,
+    currentSessionId: string | null,
+  ) {
+    const sessions = await this.userSessionRepo.findActiveByUser(
+      userId,
+      workspaceId,
+    );
+
+    const mapped = sessions.map((s) => ({
+      id: s.id,
+      deviceName: s.deviceName,
+      ipAddress: s.ipAddress,
+      geoLocation: s.geoLocation,
+      lastActiveAt: s.lastActiveAt,
+      createdAt: s.createdAt,
+      isCurrent: s.id === currentSessionId,
+    }));
+
+    return mapped.sort((a, b) => {
+      if (a.isCurrent) return -1;
+      if (b.isCurrent) return 1;
+      return 0;
+    });
+  }
+
+  async revokeSession(
+    sessionId: string,
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.userSessionRepo.revokeById(sessionId, userId, workspaceId);
+  }
+
+  async revokeAllOtherSessions(
+    currentSessionId: string,
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.userSessionRepo.revokeAllExceptCurrent(
+      currentSessionId,
+      userId,
+      workspaceId,
+    );
+  }
+
+  private parseDeviceName(userAgent: string | null): string | null {
+    if (!userAgent) return null;
+
+    try {
+      const parsed = Bowser.parse(userAgent);
+
+      const os = parsed.os?.name;
+      const browser = parsed.browser?.name;
+      const platformType = parsed.platform?.type;
+
+      if (platformType === 'mobile' || platformType === 'tablet') {
+        return parsed.platform?.model || os || 'Mobile Device';
+      }
+
+      if (os) {
+        return browser ? `${browser} on ${os}` : os;
+      }
+
+      return browser || null;
+    } catch {
+      return null;
+    }
+  }
+}
@@ -22,6 +22,7 @@ import InvitationEmail from '@docmost/transactional/emails/invitation-email';
 import { GroupUserRepo } from '@docmost/db/repos/group/group-user.repo';
 import InvitationAcceptedEmail from '@docmost/transactional/emails/invitation-accepted-email';
 import { TokenService } from '../../auth/services/token.service';
+import { SessionService } from '../../session/session.service';
 import { nanoIdGen } from '../../../common/helpers';
 import { PaginationOptions } from '@docmost/db/pagination/pagination-options';
 import { executeWithCursorPagination } from '@docmost/db/pagination/cursor-pagination';
@@ -49,6 +50,7 @@ export class WorkspaceInvitationService {
    private mailService: MailService,
    private domainService: DomainService,
    private tokenService: TokenService,
+    private sessionService: SessionService,
    @InjectKysely() private readonly db: KyselyDB,
    @InjectQueue(QueueName.BILLING_QUEUE) private billingQueue: Queue,
    private readonly environmentService: EnvironmentService,
@@ -350,7 +352,7 @@ export class WorkspaceInvitationService {
      };
    }

-    const authToken = await this.tokenService.generateAccessToken(newUser);
+    const authToken = await this.sessionService.createSessionAndToken(newUser);
    return { authToken };
  }

@@ -7,6 +7,7 @@ import {
  NotFoundException,
 } from '@nestjs/common';
 import { LicenseCheckService } from '../../../integrations/environment/license-check.service';
+import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
 import { CreateWorkspaceDto } from '../dto/create-workspace.dto';
 import { UpdateWorkspaceDto } from '../dto/update-workspace.dto';
 import { SpaceService } from '../../space/services/space.service';
@@ -67,6 +68,7 @@ export class WorkspaceService {
    @InjectQueue(QueueName.BILLING_QUEUE) private billingQueue: Queue,
    @InjectQueue(QueueName.AI_QUEUE) private aiQueue: Queue,
    @Inject(AUDIT_SERVICE) private readonly auditService: IAuditService,
+    private userSessionRepo: UserSessionRepo,
  ) {}

  async findById(workspaceId: string) {
@@ -673,6 +675,8 @@ export class WorkspaceService {
      workspaceId,
    );

+    await this.userSessionRepo.revokeByUserId(userId, workspaceId);
+
    this.auditService.log({
      event: AuditEvent.USER_DEACTIVATED,
      resourceType: AuditResource.USER,
@@ -787,6 +791,8 @@ export class WorkspaceService {
      });
    });

+    await this.userSessionRepo.revokeByUserId(userId, workspaceId);
+
    this.auditService.log({
      event: AuditEvent.USER_DELETED,
      resourceType: AuditResource.USER,
@@ -17,6 +17,7 @@ import { KyselyDB } from '@docmost/db/types/kysely.types';
 import * as process from 'node:process';
 import { MigrationService } from '@docmost/db/services/migration.service';
 import { UserTokenRepo } from './repos/user-token/user-token.repo';
+import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
 import { BacklinkRepo } from '@docmost/db/repos/backlink/backlink.repo';
 import { ShareRepo } from '@docmost/db/repos/share/share.repo';
 import { NotificationRepo } from '@docmost/db/repos/notification/notification.repo';
@@ -76,6 +77,7 @@ import { normalizePostgresUrl } from '../common/helpers';
    CommentRepo,
    AttachmentRepo,
    UserTokenRepo,
+    UserSessionRepo,
    BacklinkRepo,
    ShareRepo,
    NotificationRepo,
@@ -95,6 +97,7 @@ import { normalizePostgresUrl } from '../common/helpers';
    CommentRepo,
    AttachmentRepo,
    UserTokenRepo,
+    UserSessionRepo,
    BacklinkRepo,
    ShareRepo,
    NotificationRepo,
@@ -0,0 +1,44 @@
+import { Kysely, sql } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await db.schema
+    .createTable('user_sessions')
+    .addColumn('id', 'uuid', (col) =>
+      col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
+    )
+    .addColumn('user_id', 'uuid', (col) =>
+      col.notNull().references('users.id').onDelete('cascade'),
+    )
+    .addColumn('workspace_id', 'uuid', (col) =>
+      col.notNull().references('workspaces.id').onDelete('cascade'),
+    )
+    .addColumn('device_name', 'varchar')
+    .addColumn('user_agent', 'text')
+    .addColumn('ip_address', sql`inet`)
+    .addColumn('geo_location', 'varchar')
+    .addColumn('last_active_at', 'timestamptz', (col) =>
+      col.notNull().defaultTo(sql`now()`),
+    )
+    .addColumn('expires_at', 'timestamptz', (col) => col.notNull())
+    .addColumn('revoked_at', 'timestamptz')
+    .addColumn('created_at', 'timestamptz', (col) =>
+      col.notNull().defaultTo(sql`now()`),
+    )
+    .execute();
+
+  await db.schema
+    .createIndex('idx_user_sessions_user_workspace')
+    .on('user_sessions')
+    .columns(['user_id', 'workspace_id'])
+    .execute();
+
+  await db.schema
+    .createIndex('idx_user_sessions_expires_at')
+    .on('user_sessions')
+    .column('expires_at')
+    .execute();
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.dropTable('user_sessions').execute();
+}
@@ -0,0 +1,125 @@
+import {
+  InsertableUserSession,
+  UserSession,
+} from '@docmost/db/types/entity.types';
+import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
+import { dbOrTx } from '@docmost/db/utils';
+import { Injectable } from '@nestjs/common';
+import { InjectKysely } from 'nestjs-kysely';
+
+@Injectable()
+export class UserSessionRepo {
+  constructor(@InjectKysely() private readonly db: KyselyDB) {}
+
+  async insertSession(
+    session: InsertableUserSession,
+    trx?: KyselyTransaction,
+  ): Promise<UserSession> {
+    const db = dbOrTx(this.db, trx);
+    return db
+      .insertInto('userSessions')
+      .values(session)
+      .returningAll()
+      .executeTakeFirstOrThrow();
+  }
+
+  async findActiveById(id: string): Promise<UserSession | undefined> {
+    return this.db
+      .selectFrom('userSessions')
+      .selectAll()
+      .where('id', '=', id)
+      .where('expiresAt', '>', new Date())
+      .where('revokedAt', 'is', null)
+      .executeTakeFirst();
+  }
+
+  async findActiveByUser(
+    userId: string,
+    workspaceId: string,
+  ): Promise<UserSession[]> {
+    return this.db
+      .selectFrom('userSessions')
+      .selectAll()
+      .where('userId', '=', userId)
+      .where('workspaceId', '=', workspaceId)
+      .where('expiresAt', '>', new Date())
+      .where('revokedAt', 'is', null)
+      .orderBy('lastActiveAt', 'desc')
+      .execute();
+  }
+
+  async updateLastActiveAt(id: string): Promise<void> {
+    await this.db
+      .updateTable('userSessions')
+      .set({ lastActiveAt: new Date() })
+      .where('id', '=', id)
+      .execute();
+  }
+
+  async revokeById(
+    id: string,
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.db
+      .updateTable('userSessions')
+      .set({ revokedAt: new Date() })
+      .where('id', '=', id)
+      .where('userId', '=', userId)
+      .where('workspaceId', '=', workspaceId)
+      .where('revokedAt', 'is', null)
+      .execute();
+  }
+
+  async revokeAllExceptCurrent(
+    currentSessionId: string,
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.db
+      .updateTable('userSessions')
+      .set({ revokedAt: new Date() })
+      .where('userId', '=', userId)
+      .where('workspaceId', '=', workspaceId)
+      .where('id', '!=', currentSessionId)
+      .where('revokedAt', 'is', null)
+      .execute();
+  }
+
+  async revokeByUserId(
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.db
+      .updateTable('userSessions')
+      .set({ revokedAt: new Date() })
+      .where('userId', '=', userId)
+      .where('workspaceId', '=', workspaceId)
+      .where('revokedAt', 'is', null)
+      .execute();
+  }
+
+  async deleteByUserId(
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.db
+      .deleteFrom('userSessions')
+      .where('userId', '=', userId)
+      .where('workspaceId', '=', workspaceId)
+      .execute();
+  }
+
+  async deleteAllExceptCurrent(
+    currentSessionId: string,
+    userId: string,
+    workspaceId: string,
+  ): Promise<void> {
+    await this.db
+      .deleteFrom('userSessions')
+      .where('userId', '=', userId)
+      .where('workspaceId', '=', workspaceId)
+      .where('id', '!=', currentSessionId)
+      .execute();
+  }
+}
@@ -429,6 +429,20 @@ export interface PagePermissions {
  updatedAt: Generated<Timestamp>;
 }

+export interface UserSessions {
+  id: Generated<string>;
+  userId: string;
+  workspaceId: string;
+  deviceName: string | null;
+  userAgent: string | null;
+  ipAddress: string | null;
+  geoLocation: string | null;
+  lastActiveAt: Generated<Timestamp>;
+  expiresAt: Timestamp;
+  revokedAt: Timestamp | null;
+  createdAt: Generated<Timestamp>;
+}
+
 export interface DB {
  apiKeys: ApiKeys;
  attachments: Attachments;
@@ -451,6 +465,7 @@ export interface DB {
  spaces: Spaces;
  userMfa: UserMfa;
  users: Users;
+  userSessions: UserSessions;
  userTokens: UserTokens;
  watchers: Watchers;
  workspaceInvitations: WorkspaceInvitations;
@@ -22,6 +22,7 @@ import {
  Shares,
  FileTasks,
  UserMfa as _UserMFA,
+  UserSessions,
  ApiKeys,
  Watchers,
  Audit as _Audit,
@@ -157,6 +158,11 @@ export type PagePermission = Selectable<_PagePermissions>;
 export type InsertablePagePermission = Insertable<_PagePermissions>;
 export type UpdatablePagePermission = Updateable<Omit<_PagePermissions, 'id'>>;

+// User Session
+export type UserSession = Selectable<UserSessions>;
+export type InsertableUserSession = Insertable<UserSessions>;
+export type UpdatableUserSession = Updateable<Omit<UserSessions, 'id'>>;
+
 // Audit
 export type Audit = Selectable<_Audit>;
 export type InsertableAudit = Insertable<_Audit>;