Add session management functionality; implement SessionController for handling user sessions and API tokens, update routes and UI for session management

4msar · 4msar · commit 7d89387265fc · 2026-02-07T22:17:35.000+06:00
diff --git a/app/Http/Controllers/Api/V1/AuthController.php b/app/Http/Controllers/Api/V1/AuthController.php
@@ -31,7 +31,10 @@ public function login(Request $request)
         }
 
         $deviceName = $request->device_name ?? $request->userAgent() ?? 'api-token';
-        $token = $user->createToken($deviceName)->plainTextToken;
+        $token = $user->createToken(
+            name: $deviceName,
+            expiresAt: now()->addMinutes(config('sanctum.expiration'))
+        )->plainTextToken;
 
         return response()->json([
             'success' => true,
@@ -63,7 +66,10 @@ public function register(Request $request)
         ]);
 
         $deviceName = $request->device_name ?? $request->userAgent() ?? 'api-token';
-        $token = $user->createToken($deviceName)->plainTextToken;
+        $token = $user->createToken(
+            name: $deviceName,
+            expiresAt: now()->addMinutes(config('sanctum.expiration'))
+        )->plainTextToken;
 
         return response()->json([
             'success' => true,
@@ -122,7 +128,13 @@ public function updateProfile(Request $request)
             $validated['password'] = Hash::make($validated['password']);
         }
 
-        $user->update($validated);
+        $user->fill($validated);
+
+        if ($user->isDirty('email')) {
+            $user->email_verified_at = null;
+        }
+
+        $user->save();
 
         return response()->json([
             'success' => true,
diff --git a/app/Http/Controllers/Settings/SessionController.php b/app/Http/Controllers/Settings/SessionController.php
@@ -0,0 +1,94 @@
+<?php
+
+namespace App\Http\Controllers\Settings;
+
+use Inertia\Response;
+use Illuminate\Http\Request;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\DB;
+use App\Http\Controllers\Controller;
+use Inertia\Inertia;
+
+class SessionController extends Controller
+{
+
+    public function sessions(Request $request): Response
+    {
+        $user = $request->user();
+
+        /** --------------------
+         * Web (SPA) Sessions
+         * -------------------*/
+        $webSessions = DB::table('sessions')
+            ->where('user_id', $user->id)
+            ->orderBy('last_activity', 'desc')
+            ->get()
+            ->map(function ($session) {
+                return [
+                    'id' => $session->id,
+                    'type' => 'web',
+                    'ip_address' => $session->ip_address,
+                    'user_agent' => $session->user_agent,
+                    'last_activity' => Carbon::createFromTimestamp($session->last_activity)->diffForHumans(),
+                    'is_current' => $session->id === session()->getId(),
+                ];
+            });
+
+        /** --------------------
+         * API Token Sessions
+         * -------------------*/
+        $apiSessions = $user->tokens->map(function ($token) {
+            return [
+                'id' => $token->id,
+                'type' => 'api',
+                'name' => $token->name,
+                'last_activity' => optional($token->last_used_at)->diffForHumans() ?? 'Never',
+                'expiry' => $token->expires_at?->diffForHumans() ?? 'Never',
+                'created_at' => $token->created_at->diffForHumans(),
+            ];
+        });
+
+        return Inertia::render('settings/Sessions', [
+            'webSessions' => $webSessions,
+            'apiSessions' => $apiSessions,
+        ]);
+    }
+
+    public function revoke(Request $request)
+    {
+        $user = $request->user();
+
+        if ($request->has('clear_all')) {
+            // Revoke all sessions except current
+            DB::table('sessions')
+                ->where('user_id', $user->id)
+                ->where('id', '!=', session()->getId())
+                ->delete();
+
+            // Revoke all API tokens
+            $user->tokens()->delete();
+
+            return back()->with('status', 'All sessions revoked except current.');
+        }
+
+        $sessionId = $request->input('session_id');
+        $sessionType = $request->input('session_type');
+
+        if ($sessionType === 'web') {
+            // Revoke web session
+            DB::table('sessions')
+                ->where('user_id', $user->id)
+                ->where('id', $sessionId)
+                ->delete();
+
+            return back()->with('status', 'Web session revoked.');
+        } elseif ($sessionType === 'api') {
+            // Revoke API token
+            $user->tokens()->where('id', $sessionId)->delete();
+
+            return back()->with('status', 'API token revoked.');
+        }
+
+        return back()->with('error', 'Invalid session type.');
+    }
+}
diff --git a/config/sanctum.php b/config/sanctum.php
@@ -47,7 +47,7 @@
     |
     */
 
-    'expiration' => null,
+    'expiration' => 15 * 24 * 60, // 15 days
 
     /*
     |--------------------------------------------------------------------------
diff --git a/resources/js/layouts/settings/Layout.vue b/resources/js/layouts/settings/Layout.vue
@@ -14,6 +14,10 @@ const sidebarNavItems: NavItem[] = [
         title: 'Password',
         href: '/settings/password',
     },
+    {
+        title: 'Sessions',
+        href: '/settings/sessions',
+    },
     {
         title: 'Application',
         href: '/settings/preferences',
diff --git a/resources/js/pages/settings/Sessions.vue b/resources/js/pages/settings/Sessions.vue
@@ -0,0 +1,127 @@
+<script setup lang="ts">
+import { Head, Link } from '@inertiajs/vue3';
+
+import HeadingSmall from '@/components/shared/HeadingSmall.vue';
+import { type BreadcrumbItem } from '@/types';
+
+import Tooltip from '@/components/shared/Tooltip.vue';
+import { buttonVariants } from '@/components/ui/button';
+import AppLayout from '@/layouts/AppLayout.vue';
+import SettingsLayout from '@/layouts/settings/Layout.vue';
+import { Trash } from 'lucide-vue-next';
+
+const breadcrumbItems: BreadcrumbItem[] = [
+    {
+        title: 'Sessions',
+        href: '/settings/sessions',
+    },
+];
+
+const { webSessions, apiSessions } = defineProps<{
+    webSessions: {
+        id: number;
+        ip_address: string;
+        user_agent: string;
+        is_current: boolean;
+        last_activity: string;
+    }[];
+    apiSessions: {
+        id: number;
+        name: string;
+        expiry: string;
+        last_activity: string;
+    }[];
+}>();
+</script>
+
+<template>
+    <AppLayout :breadcrumbs="breadcrumbItems">
+        <Head title="Sessions" />
+
+        <SettingsLayout>
+            <div class="space-y-6">
+                <HeadingSmall title="Sessions" description="Manage your active login sessions" class="items-start justify-between">
+                    <Tooltip title="Logout from all sessions/tokens.">
+                        <Link
+                            :href="route('profile.sessions.revoke')"
+                            method="delete"
+                            :data="{ clear_all: 'true' }"
+                            :class="buttonVariants({ variant: 'destructive', size: 'sm' })"
+                        >
+                            <Trash class="inline h-4 w-4" />
+                        </Link>
+                    </Tooltip>
+                </HeadingSmall>
+
+                <div class="space-y-10">
+                    <!-- WEB SESSIONS -->
+                    <section>
+                        <h2 class="mb-4 text-xl font-semibold">Web Sessions</h2>
+
+                        <div v-if="!webSessions.length" class="text-gray-500">No active web sessions</div>
+
+                        <ul class="space-y-3">
+                            <li v-for="session in webSessions" :key="session.id" class="rounded border p-4">
+                                <div class="flex justify-between">
+                                    <div>
+                                        <p class="font-medium">
+                                            {{ session.ip_address }}
+                                            <span v-if="session.is_current" class="text-sm text-green-600"> (Current) </span>
+                                        </p>
+                                        <p class="text-sm text-gray-500">
+                                            {{ session.user_agent }}
+                                        </p>
+                                        <p class="text-sm text-gray-400">Active {{ session.last_activity }}</p>
+                                    </div>
+
+                                    <div v-if="!session.is_current">
+                                        <Tooltip title="Revoke or Logout">
+                                            <Link
+                                                :href="route('profile.sessions.revoke')"
+                                                method="delete"
+                                                :data="{ session_id: session.id, session_type: 'web' }"
+                                                :class="buttonVariants({ variant: 'destructive', size: 'sm' })"
+                                            >
+                                                <Trash class="inline h-4 w-4" />
+                                            </Link>
+                                        </Tooltip>
+                                    </div>
+                                </div>
+                            </li>
+                        </ul>
+                    </section>
+
+                    <!-- API SESSIONS -->
+                    <section>
+                        <h2 class="mb-4 text-xl font-semibold">API / Device Sessions</h2>
+
+                        <div v-if="!apiSessions.length" class="text-gray-500">No API tokens</div>
+
+                        <ul class="space-y-3">
+                            <li v-for="token in apiSessions" :key="token.id" class="flex justify-between rounded border p-4">
+                                <div>
+                                    <p class="font-medium">{{ token.name }}</p>
+                                    <p class="text-sm text-gray-500">Expires: {{ token.expiry }}</p>
+                                    <p class="text-sm text-gray-500">Last used: {{ token.last_activity }}</p>
+                                </div>
+
+                                <div>
+                                    <Tooltip title="Revoke or Logout">
+                                        <Link
+                                            :href="route('profile.sessions.revoke')"
+                                            method="delete"
+                                            :data="{ session_id: token.id, session_type: 'api' }"
+                                            :class="buttonVariants({ variant: 'destructive', size: 'sm' })"
+                                        >
+                                            <Trash class="inline h-4 w-4" />
+                                        </Link>
+                                    </Tooltip>
+                                </div>
+                            </li>
+                        </ul>
+                    </section>
+                </div>
+            </div>
+        </SettingsLayout>
+    </AppLayout>
+</template>
diff --git a/routes/console.php b/routes/console.php
@@ -4,30 +4,6 @@
 use Illuminate\Support\Facades\Artisan;
 use Illuminate\Support\Facades\Schedule;
 
-/**
- * Update bill statuses based on recurrence period and transactions.
- *
- * Run daily at 12:05 AM to ensure statuses are up-to-date.
- */
-Schedule::command('bills:update-statuses')
-    ->dailyAt('00:05')
-    ->runInBackground();
-
-/**
- * Send upcoming bill notifications to users.
- *
- * Run the job every minute.
- */
-$schedule = Schedule::job(SendUpcomingBillNotifications::class);
-
-if (app()->isProduction()) {
-    // In production, run daily at 6 AM to avoid spamming users
-    $schedule->everySixHours();
-} else {
-    // In development, run every minute to test notifications
-    $schedule->everyMinute();
-}
-
 Artisan::command('app:send-upcoming-bill-notifications', function () {
     $this->comment('Sending upcoming bill notifications...');
     SendUpcomingBillNotifications::dispatch();
@@ -40,7 +16,7 @@
     // Example for Bill model
     \App\Models\Bill::withoutGlobalScopes()->get()->each(function ($bill) {
         $bill->fillSlug();
-        $this->info('Updated slug for Bill: '.$bill->title.' to '.$bill->slug);
+        $this->info('Updated slug for Bill: ' . $bill->title . ' to ' . $bill->slug);
         $bill->save();
     });
 
@@ -49,9 +25,50 @@
     // Example for Team model
     \App\Models\Team::withoutGlobalScopes()->get()->each(function ($team) {
         $team->fillSlug();
-        $this->info('Updated slug for Team: '.$team->name.' to '.$team->slug);
+        $this->info('Updated slug for Team: ' . $team->name . ' to ' . $team->slug);
         $team->save();
     });
 
     $this->info('Slugs updated successfully.');
 })->describe('Update slugs for all relevant models');
+
+/**
+ * ===============================
+ * Scheduler Commands
+ * ===============================
+ */
+
+/**
+ * Send upcoming bill notifications to users.
+ *
+ * In production, consider running it less frequently (e.g., every six hours)
+ * to avoid spamming users with notifications.
+ */
+$sendUpcomingNotification = Schedule::command('app:send-upcoming-bill-notifications');
+
+if (app()->isProduction()) {
+    // In production, run every six hours to avoid spamming users
+    $sendUpcomingNotification->everySixHours();
+} else {
+    // In development, run every minute to test notifications
+    $sendUpcomingNotification->everyMinute();
+}
+$sendUpcomingNotification->runInBackground();
+
+/**
+ * Update bill statuses based on recurrence period and transactions.
+ *
+ * Run daily at 12:05 AM to ensure statuses are up-to-date.
+ */
+Schedule::command('bills:update-statuses')
+    ->dailyAt('00:05')
+    ->runInBackground();
+
+/**
+ * Clear expired API tokens to maintain security and performance.
+ *
+ * Run daily at 1:00 AM to clean up expired tokens.
+ */
+Schedule::command('sanctum:prune-expired')
+    ->dailyAt('01:00')
+    ->runInBackground();
diff --git a/routes/settings.php b/routes/settings.php
@@ -3,13 +3,16 @@
 use App\Http\Controllers\Settings\PasswordController;
 use App\Http\Controllers\Settings\PreferenceController;
 use App\Http\Controllers\Settings\ProfileController;
+use App\Http\Controllers\Settings\SessionController;
 use Illuminate\Support\Facades\Route;
 use Inertia\Inertia;
 
 Route::middleware('auth')->group(function () {
     Route::redirect('settings', '/settings/profile');
 
     Route::get('settings/profile', [ProfileController::class, 'edit'])->name('profile.edit');
+    Route::get('settings/sessions', [SessionController::class, 'sessions'])->name('profile.sessions');
+    Route::delete('settings/sessions/revoke', [SessionController::class, 'revoke'])->name('profile.sessions.revoke');
     Route::patch('settings/profile', [ProfileController::class, 'update'])->name('profile.update');
     Route::delete('settings/profile', [ProfileController::class, 'destroy'])->name('profile.destroy');
 

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@`
`47`	`47`	`\|`
`48`	`48`	`*/`
`49`	`49`
`50`		`- 'expiration' => null,`
	`50`	`+ 'expiration' => 15 * 24 * 60, // 15 days`
`51`	`51`
`52`	`52`	`/*`
`53`	`53`	`\|--------------------------------------------------------------------------`