Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implement user session management with jwt and database persistence #1212

Open
wants to merge 29 commits into
base: dev
Choose a base branch
from
Open

feat: implement user session management with jwt and database persistence #1212

wants to merge 29 commits into from

Conversation

Tha-Orakkle
Copy link

Description

This PR introduces a comprehensive user session management system. It allows users to see the different devices signed into their account -including their locations- and provides a way to log out from all or specific devices.

Features

The key enhancements include:

Active Session Tracking: Each issued JWT refresh token is stored in the database with associated metadata such as user ID, device details, IP address, expires_at, and location.

Session Revocation: Users can view and selectively revoke active sessions, enabling logout from specific devices without affecting other sessions.

Enhanced Security: By maintaining a centralized session store, compromised tokens can be individually invalidated, reducing potential security risks.

Regular DB Management: Every Sunday midnight, expired and revoked tokens are removed from the db.

Related Issue (Link to issue ticket)

#1061

Motivation and Context

Implementing session management enhances user experience by providing control over active sessions and improves security by allowing precise token invalidation. This aligns with best practices for authentication systems, addressing the current limitations where JWTs are stateless and lack centralized management.

How Has This Been Tested?

The following testing strategies were employed

  • Integration Tests: Simulated user authentication workflows to verify that session data is accurately recorded and managed.

  • Manual Testing: Performed using Postman to validate endpoints for session management, including edge cases like attempting to revoke already invalidated tokens.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

samuelogboye
samuelogboye requested changes Mar 2, 2025
View reviewed changes
Copy link
Contributor

@samuelogboye samuelogboye left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ensure comprehensive testing of the session management system, especially edge cases like concurrent session access and token revocation.
Then make sure all test are passing(currently the CI is failing)

Tha-Orakkle added 16 commits March 2, 2025 20:06
@Tha-Orakkle
feat: add UserSession model
85a8083
@Tha-Orakkle
update: make /register and /login endpoint to create a user session o…
aa7af95 
…n request
@Tha-Orakkle
feat: create endpoints for user session
9ba7e4a
@Tha-Orakkle
feat: create session service for the UserSession model
4cd81eb
@Tha-Orakkle
feat: add schema UserCreate for the UserSession
db7ed21
@Tha-Orakkle
feat: add session router to api_version_one
bd2425c
@Tha-Orakkle
update: check if refresh token is revoked in verify_refresh_token method
4a43028
@Tha-Orakkle
feat: helper functions to build data for the user session
034744d
@Tha-Orakkle
feat: add UserSession model
e130c43
@Tha-Orakkle
update: change expires_at field to Datetime
cb794dd
@Tha-Orakkle
fix: remove typecast to str in get_session_schema_data when called
3cc09fa
@Tha-Orakkle
update: change expires_at in schema to datetime
96c4435
@Tha-Orakkle
fix: format datetime before comparison
74eab92
@Tha-Orakkle
feat: add background task to clear sessions table in db to celery
7dd152d
@Tha-Orakkle
chore: add depencies for user session management
a806a04
@Tha-Orakkle
doc: add steps to run background tasks with celery
b21aa38
@Tha-Orakkle Tha-Orakkle force-pushed the feat/user-session-mgt branch from 458ddad to b21aa38 Compare March 2, 2025 19:28
@Tha-Orakkle Tha-Orakkle force-pushed the feat/user-session-mgt branch from 183bb75 to 2940aa4 Compare March 3, 2025 00:45
@Tha-Orakkle
Copy link
Author

I have refactored the get_session_schema_data to function asynchronously to prevent latency.
Tessts have been created for the different endpoints

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuelogboye samuelogboye samuelogboye requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Tha-Orakkle @samuelogboye