[Week 4] Implement Session Management EndpointsΒ #15
Description
Description
Implement endpoints to list and manage user sessions across multiple devices.
Endpoints
List Active Sessions
GET /api/auth/sessions
Revoke Specific Session
POST /api/auth/revoke-session/:id
Revoke All Other Sessions
POST /api/auth/revoke-all-sessions
Tasks
- Create list sessions endpoint
- Return session details with device info
- Implement revoke specific session
- Implement revoke all other sessions (keep current)
- Update session status in database
- Send notifications for revoked sessions
List Sessions Response
{
"success": true,
"data": {
"sessions": [
{
"id": "session_uuid",
"device_type": "mobile",
"device_id": "device_123",
"ip_address": "192.168.1.1",
"user_agent": "Mozilla/5.0...",
"last_active": "2026-01-10T12:00:00Z",
"current": true
},
{
"id": "session_uuid_2",
"device_type": "desktop",
"last_active": "2026-01-09T15:30:00Z",
"current": false
}
]
}
}Revoke Session Response
{
"success": true,
"message": "Session revoked successfully"
}Business Rules
- Users can only manage their own sessions
- Current session marked with
current: true - Cannot revoke current session via revoke-all
- Send email notification when session is revoked
Use Cases
- User lost device - revoke that device's session
- Security concern - revoke all sessions and re-login
- Session management UI
Definition of Done
- All endpoints implemented
- Session listing working
- Revoke operations functional
- Notifications sent
- Tests passing