Tie access token directly to session

We need to present them differently in the session list and prevent them
from being deleted

Author: dhh

app/controllers/concerns/authentication.rb

@@ -45,7 +45,7 @@ def require_authentication
     end
 
     def resume_session
-      if session = find_session_by_cookie || find_or_start_session_by_bearer_token
+      if session = find_session_by_cookie || find_session_by_bearer_token
         set_current_session session
       end
     end
@@ -54,7 +54,7 @@ def find_session_by_cookie
       Session.find_signed(cookies.signed[:session_token])
     end
 
-    def find_or_start_session_by_bearer_token
+    def find_session_by_bearer_token
       if request_authorized_by_bearer_token?
         Identity::AccessToken.find_by(token: authorization_bearer_token)&.session
       end

app/models/identity/access_token.rb

@@ -1,17 +1,14 @@
 class Identity::AccessToken < ApplicationRecord
   belongs_to :identity
+  belongs_to :session
 
   has_secure_token
   enum :permission, %w[ read write ].index_by(&:itself), default: :read
 
-  def session
-    identity.sessions.find_or_create_by! user_agent: session_user_agent
-  end
+  before_validation :build_session, on: :create
 
   private
-    # Overload the user_agent identification for access token session reuse.
-    # This allows us to easily reuse a single session record per access token.
-    def session_user_agent
-      "access-token-#{id}"
+    def build_session
+      self.session = identity.sessions.build(user_agent: "Access Token")
     end
 end

db/migrate/20251201132341_create_identity_access_tokens.rb

@@ -2,6 +2,7 @@ class CreateIdentityAccessTokens < ActiveRecord::Migration[8.2]
   def change
     create_table :identity_access_tokens, id: :uuid do |t|
       t.uuid :identity_id, null: false
+      t.uuid :session_id, null: false
       t.string :token
       t.string :permission
       t.text :description

db/schema.rb

@@ -315,6 +315,7 @@
     t.text "description", limit: 65535
     t.uuid "identity_id", null: false
     t.string "permission", limit: 255
+    t.uuid "session_id", null: false
     t.string "token", limit: 255
     t.datetime "updated_at", null: false
     t.index ["identity_id"], name: "index_access_token_on_identity_id"

db/schema_sqlite.rb

@@ -1,11 +1,13 @@
 jasons_api_token:
   identity: jason
+  session: jason_api
   token: 018cf1425682700098f24f0799e3fe20
   description: My Superscript
   permission: read
 
 davids_api_token:
   identity: david
+  session: david_api
   token: x18cf1425682700098f24f0799e3fe20
   description: My Superscript
   permission: write

test/fixtures/identity/access_tokens.yml

@@ -1,6 +1,9 @@
 david:
   identity: david
 
+david_api:
+  identity: david
+
 kevin:
   identity: kevin
 
@@ -9,3 +12,6 @@ jz:
 
 jason:
   identity: jason
+
+jason_api:
+  identity: jason

test/fixtures/sessions.yml

@@ -1,13 +1,8 @@
 require "test_helper"
 
 class Identity::AccessTokenTest < ActiveSupport::TestCase
-  test "only one session at the time" do
-    assert_changes -> { Session.count }, +1 do
-      identity_access_tokens(:jasons_api_token).session
-    end
-
-    assert_no_changes -> { Session.count } do
-      identity_access_tokens(:jasons_api_token).session
-    end
+  test "new access token comes with a session" do
+    access_token = identities(:david).access_tokens.create!
+    assert_equal "Access Token", identities(:david).sessions.last.user_agent
   end
 end