add: implement logout endpoint and session revocation logic

YuriFontella · YuriFontella · commit 46dbdb1d65c6 · 2025-12-30T10:02:01.000-03:00
diff --git a/src/domain/users/controllers.py b/src/domain/users/controllers.py
@@ -1,10 +1,11 @@
 from typing import Dict
 
-from litestar import Controller, Request, post, get
+from litestar import Controller, Request, Response, post, get
 from litestar.di import Provide
 from litestar.channels import ChannelsPlugin
 from litestar.exceptions import HTTPException
 from litestar.params import Parameter
+from litestar.datastructures import Cookie
 
 from src.server.auth import AuthenticationMiddleware
 
@@ -108,3 +109,42 @@ async def users_data(self, current_user: Dict) -> User:
             role=current_user["role"],
             status=current_user["status"],
         )
+
+    @post(path="/logout", middleware=[AuthenticationMiddleware])
+    async def logout(
+        self, request: Request, current_user: Dict, users_service: UsersService
+    ) -> Response[bool]:
+        auth = request.auth
+        access_token = auth.get("access_token") if auth else None
+
+        if access_token and current_user.get("uuid"):
+            await users_service.revoke_current_session(
+                user_uuid=str(current_user["uuid"]), access_token=access_token
+            )
+
+        response = Response(
+            content=True,
+            cookies=[
+                Cookie(
+                    key="x-access-token",
+                    value=None,
+                    httponly=True,
+                    secure=False,
+                    samesite="strict",
+                    max_age=0,
+                    expires=0,
+                    path="/",
+                ),
+                Cookie(
+                    key="x-refresh-token",
+                    value=None,
+                    httponly=True,
+                    secure=False,
+                    samesite="strict",
+                    max_age=0,
+                    expires=0,
+                    path="/",
+                ),
+            ],
+        )
+        return response
diff --git a/src/domain/users/repositories/session.py b/src/domain/users/repositories/session.py
@@ -34,13 +34,32 @@ async def get_by_refresh_token(self, refresh_token: str) -> Optional[dict]:
         """
         return await self.connection.fetchrow(query, refresh_token)
 
+    async def get_by_user_and_access_token(
+        self, user_uuid: str, access_token: str
+    ) -> Optional[dict]:
+        query = """
+            SELECT uuid, user_uuid, access_token, refresh_token, revoked
+            FROM sessions
+            WHERE user_uuid = $1 AND access_token = $2 AND revoked = false
+        """
+        return await self.connection.fetchrow(query, user_uuid, access_token)
+
     async def revoke_session(self, session_uuid: UUID) -> bool:
         query = """
             UPDATE sessions SET revoked = true WHERE uuid = $1
         """
         await self.connection.execute(query, str(session_uuid))
         return True
 
+    async def revoke_user_sessions(self, user_uuid: UUID) -> bool:
+        """Revoga todas as sessões ativas de um usuário"""
+        query = """
+            UPDATE sessions SET revoked = true 
+            WHERE user_uuid = $1 AND revoked = false
+        """
+        await self.connection.execute(query, str(user_uuid))
+        return True
+
     async def update_access_token(
         self,
         session_uuid: str,
diff --git a/src/domain/users/services.py b/src/domain/users/services.py
@@ -86,6 +86,9 @@ async def authenticate(
             self.settings.app.PBKDF2_ITERATIONS,
         )
 
+        # Revoke all active sessions for this user before creating a new one
+        await self.session_repository.revoke_user_sessions(user_uuid)
+
         session = await self.session_repository.create(
             access_token=access_token_hash.hex(),
             refresh_token=refresh_token_hash.hex(),
@@ -202,3 +205,25 @@ async def refresh_access_token(
             raise ValueError("Refresh token expired")
         except jwt.PyJWTError:
             raise ValueError("Invalid refresh token format")
+
+    async def revoke_current_session(self, user_uuid: str, access_token: str) -> bool:
+        """Revokes the current session by user_uuid and access_token"""
+        # Hash the access token to match the stored hash
+        salt = self.settings.app.SESSION_SALT
+        access_token_hash = hashlib.pbkdf2_hmac(
+            self.settings.app.PBKDF2_ALGORITHM,
+            access_token.encode(),
+            salt.encode(),
+            self.settings.app.PBKDF2_ITERATIONS,
+        )
+
+        # Get the session by user_uuid and access_token
+        session = await self.session_repository.get_by_user_and_access_token(
+            user_uuid=user_uuid, access_token=access_token_hash.hex()
+        )
+
+        if not session:
+            raise ValueError("Session not found")
+
+        # Revoke the session
+        return await self.session_repository.revoke_session(session["uuid"])
diff --git a/src/server/auth.py b/src/server/auth.py
@@ -41,6 +41,8 @@ async def authenticate_request(
                     select u.uuid, u.name, u.email, u.role, u.status from users u
                     join sessions s on u.uuid = s.user_uuid
                     where u.uuid = $1 and s.access_token = $2 and s.revoked = false and u.status = true
+                    order by s.created_at desc
+                    limit 1
                 """
                 user = await conn.fetchrow(query, user_uuid, access_token.hex())
 
