Introduce session tracking via Redis sets and limit user sessions

- Replace single session storage with Redis sets to manage multiple sessions per user.
- Enforce a maximum of 5 active sessions per user; remove oldest session when the limit is exceeded.
- Add helper function `_build_analysis_response` for consistent API response formatting.
- Introduce endpoint to fetch the latest analysis by symbol (`/api/detail/by-symbol/{symbol}`).
- Update frontend to use symbol-based lookups for stock and coin analysis, ensuring retrieval of the latest data.

Author: robin-watcha

app/auth/web_router.py

@@ -1,6 +1,5 @@
 """Web authentication router with HTML pages and session management."""
 import hashlib
-import hmac
 import json
 import logging
 import string
@@ -42,6 +41,7 @@
 SESSION_COOKIE_NAME = "session"
 SESSION_TTL = 60 * 60 * 24 * 7  # 7 days
 USER_CACHE_TTL = 300  # 5 minutes
+MAX_SESSIONS_PER_USER = 5
 SESSION_HASH_KEY_PREFIX = "user_session"
 USER_CACHE_KEY_PREFIX = "user_cache"
 
@@ -151,31 +151,26 @@ async def get_current_user_from_session(
             settings.get_redis_url(),
             decode_responses=True,
         )
-        stored_session_hash = await redis_client.get(session_hash_key)
-        if stored_session_hash:
-            if not hmac.compare_digest(stored_session_hash, session_hash):
-                return None
-
-            session_hash_verified = True
-
-            cached_user = await redis_client.get(user_cache_key)
-
-            if cached_user:
-                user_data = json.loads(cached_user)
-                user = User(
-                    id=user_data["id"],
-                    username=user_data["username"],
-                    email=user_data["email"],
-                    role=UserRole[user_data["role"]],
-                    is_active=user_data["is_active"],
-                    hashed_password=user_data.get("hashed_password"),
-                )
-                if user.is_active:
-                    return user
-                return None
-        elif settings.ENVIRONMENT != "production":
-            redis_error = True
-        else:
+        is_member = await redis_client.sismember(session_hash_key, session_hash)
+        if not is_member:
+            return None
+
+        session_hash_verified = True
+
+        cached_user = await redis_client.get(user_cache_key)
+
+        if cached_user:
+            user_data = json.loads(cached_user)
+            user = User(
+                id=user_data["id"],
+                username=user_data["username"],
+                email=user_data["email"],
+                role=UserRole[user_data["role"]],
+                is_active=user_data["is_active"],
+                hashed_password=user_data.get("hashed_password"),
+            )
+            if user.is_active:
+                return user
             return None
     except Exception:
         redis_error = True
@@ -212,9 +207,8 @@ async def get_current_user_from_session(
             await redis_client.set(
                 user_cache_key, json.dumps(user_data), ex=USER_CACHE_TTL
             )
-            await redis_client.set(
-                session_hash_key, session_hash, ex=SESSION_TTL
-            )
+            await redis_client.sadd(session_hash_key, session_hash)
+            await redis_client.expire(session_hash_key, SESSION_TTL)
         except Exception:
             logger.warning(
                 "Failed to refresh session cache for user_id=%s",
@@ -376,6 +370,7 @@ async def login(
             settings.get_redis_url(),
             decode_responses=True,
         )
+        session_hash_key = _session_hash_key(user.id)
         user_data = {
             "id": user.id,
             "username": user.username,
@@ -384,9 +379,11 @@ async def login(
             "is_active": user.is_active,
             "hashed_password": user.hashed_password,
         }
-        await redis_client.set(
-            _session_hash_key(user.id), session_hash, ex=SESSION_TTL
-        )
+        session_count = await redis_client.scard(session_hash_key)
+        if session_count >= MAX_SESSIONS_PER_USER:
+            await redis_client.spop(session_hash_key)
+        await redis_client.sadd(session_hash_key, session_hash)
+        await redis_client.expire(session_hash_key, SESSION_TTL)
         await redis_client.set(
             _user_cache_key(user.id), json.dumps(user_data), ex=USER_CACHE_TTL
         )
@@ -572,15 +569,8 @@ async def logout(request: Request):
                     settings.get_redis_url(),
                     decode_responses=True,
                 )
-                # Add to blacklist to invalidate all sessions for this user (optional but safer)
-                blacklist = get_session_blacklist()
-                await blacklist.blacklist_user(user_id)
-
-                # Delete session key from Redis
-                await redis_client.delete(
-                    _session_hash_key(user_id),
-                    _user_cache_key(user_id),
-                )
+                session_hash = _hash_session_token(session_token)
+                await redis_client.srem(_session_hash_key(user_id), session_hash)
             except Exception:
                 logger.warning(
                     "Failed to invalidate session cache during logout for user_id=%s",

app/routers/analysis_json.py

@@ -217,27 +217,10 @@ async def get_analysis_results(
             raise
 
 
-@router.get("/api/detail/{result_id}")
-async def get_analysis_detail(
-    result_id: int,
-    db: AsyncSession = Depends(get_db)
-):
-    """특정 분석 결과의 상세 정보를 조회하는 API"""
-    
-    query = select(StockAnalysisResult, StockInfo).join(
-        StockInfo, StockAnalysisResult.stock_info_id == StockInfo.id
-    ).where(StockAnalysisResult.id == result_id)
-    
-    result = await db.execute(query)
-    row = result.first()
-    
-    if not row:
-        return {"error": "분석 결과를 찾을 수 없습니다."}
-    
-    analysis_result, stock_info = row
-    
+def _build_analysis_response(analysis_result: StockAnalysisResult, stock_info: StockInfo) -> dict:
+    """분석 결과를 응답 형식으로 변환하는 헬퍼 함수"""
     reasons = _normalize_reasons(analysis_result.reasons)
-    
+
     return {
         "id": analysis_result.id,
         "symbol": stock_info.symbol,
@@ -269,6 +252,52 @@ async def get_analysis_detail(
     }
 
 
+@router.get("/api/detail/{result_id}")
+async def get_analysis_detail(
+    result_id: int,
+    db: AsyncSession = Depends(get_db)
+):
+    """특정 분석 결과의 상세 정보를 조회하는 API"""
+
+    query = select(StockAnalysisResult, StockInfo).join(
+        StockInfo, StockAnalysisResult.stock_info_id == StockInfo.id
+    ).where(StockAnalysisResult.id == result_id)
+
+    result = await db.execute(query)
+    row = result.first()
+
+    if not row:
+        return {"error": "분석 결과를 찾을 수 없습니다."}
+
+    analysis_result, stock_info = row
+    return _build_analysis_response(analysis_result, stock_info)
+
+
+@router.get("/api/detail/by-symbol/{symbol}")
+async def get_latest_analysis_by_symbol(
+    symbol: str,
+    db: AsyncSession = Depends(get_db)
+):
+    """특정 종목의 최신 분석 결과를 조회하는 API"""
+
+    query = select(StockAnalysisResult, StockInfo).join(
+        StockInfo, StockAnalysisResult.stock_info_id == StockInfo.id
+    ).where(
+        StockInfo.symbol == symbol
+    ).order_by(
+        StockAnalysisResult.created_at.desc()
+    ).limit(1)
+
+    result = await db.execute(query)
+    row = result.first()
+
+    if not row:
+        return {"error": "분석 결과를 찾을 수 없습니다."}
+
+    analysis_result, stock_info = row
+    return _build_analysis_response(analysis_result, stock_info)
+
+
 @router.get("/api/filters")
 async def get_filter_options(db: AsyncSession = Depends(get_db)):
     """필터 옵션을 조회하는 API"""

app/templates/kis_domestic_trading_dashboard.html

@@ -1045,12 +1045,13 @@ <h6 class="card-title mb-3">
             // Individual stock action handlers
             document.querySelectorAll('.stock-analyze-btn').forEach(btn => {
                 btn.addEventListener('click', () => {
-                    const analysisId = btn.dataset.id;
+                    const hasAnalysis = btn.dataset.id !== '';  // 기존 분석 존재 여부
                     const symbol = btn.dataset.code;
                     const name = btn.dataset.name;
 
-                    if (analysisId) {
-                        openStockAnalysisDetail(analysisId, symbol, name);
+                    if (hasAnalysis) {
+                        // 항상 최신 분석을 symbol 기반으로 조회
+                        openStockAnalysisDetail(symbol, name);
                     } else {
                         if (confirm(`${name} (${symbol})에 대한 개별 AI 분석을 실행하시겠습니까?`)) {
                             triggerIndividualStockTask('analyze-stock', symbol, name);
@@ -1142,7 +1143,7 @@ <h6 class="card-title mb-3">
                 .replace(/'/g, "&#039;");
         }
 
-        async function openStockAnalysisDetail(analysisId, symbol, name) {
+        async function openStockAnalysisDetail(symbol, name) {
             const modalElement = document.getElementById('stockAnalysisModal');
             const modalTitle = modalElement.querySelector('.modal-title');
             const modalBody = modalElement.querySelector('.modal-body');
@@ -1168,7 +1169,8 @@ <h6 class="card-title mb-3">
             modal.show();
 
             try {
-                const response = await fetch(`/analysis-json/api/detail/${analysisId}`);
+                // symbol 기반으로 최신 분석 결과를 조회
+                const response = await fetch(`/analysis-json/api/detail/by-symbol/${symbol}`);
                 if (!response.ok) {
                     throw new Error('Network response was not ok');
                 }

app/templates/kis_overseas_trading_dashboard.html

@@ -1034,12 +1034,13 @@ <h6 class="card-title mb-3">
 
             document.querySelectorAll('.stock-analyze-btn').forEach(btn => {
                 btn.addEventListener('click', () => {
-                    const analysisId = btn.dataset.id;
+                    const hasAnalysis = btn.dataset.id !== '';  // 기존 분석 존재 여부
                     const symbol = btn.dataset.code;
                     const name = btn.dataset.name;
 
-                    if (analysisId) {
-                        openStockAnalysisDetail(analysisId, symbol, name);
+                    if (hasAnalysis) {
+                        // 항상 최신 분석을 symbol 기반으로 조회
+                        openStockAnalysisDetail(symbol, name);
                     } else {
                         if (confirm(`${name} (${symbol})에 대한 개별 AI 분석을 실행하시겠습니까?`)) {
                             triggerIndividualStockTask('analyze-stock', symbol, name);
@@ -1132,7 +1133,7 @@ <h6 class="card-title mb-3">
                 .replace(/'/g, "&#039;");
         }
 
-        async function openStockAnalysisDetail(analysisId, symbol, name) {
+        async function openStockAnalysisDetail(symbol, name) {
             const modalElement = document.getElementById('stockAnalysisModal');
             const modalTitle = modalElement.querySelector('.modal-title');
             const modalBody = modalElement.querySelector('.modal-body');
@@ -1158,7 +1159,8 @@ <h6 class="card-title mb-3">
             modal.show();
 
             try {
-                const response = await fetch(`/analysis-json/api/detail/${analysisId}`);
+                // symbol 기반으로 최신 분석 결과를 조회
+                const response = await fetch(`/analysis-json/api/detail/by-symbol/${symbol}`);
                 if (!response.ok) {
                     throw new Error('Network response was not ok');
                 }

app/templates/stock_latest_dashboard.html

@@ -718,6 +718,7 @@ <h6>분석 이력 (총 ${data.total_count}건)</h6>
         }
 
         // 최신 분석 상세 정보 표시 (메인 테이블에서 호출)
+        // symbol 기반으로 항상 최신 분석을 조회
         async function showLatestAnalysisDetail(analysisId, symbol, name, stockInfoId) {
             const modal = new bootstrap.Modal(document.getElementById('analysisDetailModal'));
             const modalTitle = document.getElementById('analysisDetailModalLabel');
@@ -729,7 +730,8 @@ <h6>분석 이력 (총 ${data.total_count}건)</h6>
             modal.show();
 
             try {
-                const response = await fetch(`/analysis-json/api/detail/${analysisId}`);
+                // symbol 기반으로 최신 분석 결과를 조회 (페이지 로드 시점의 analysisId 대신)
+                const response = await fetch(`/analysis-json/api/detail/by-symbol/${encodeURIComponent(symbol)}`);
                 if (!response.ok) throw new Error('Network response was not ok');
 
                 const data = await response.json();

app/templates/upbit_trading_dashboard.html

@@ -1347,15 +1347,16 @@ <h6 class="border-bottom pb-2 mb-3">
         function attachCoinActionHandlers() {
             document.querySelectorAll('.coin-analysis-btn').forEach(button => {
                 button.addEventListener('click', () => {
-                    const analysisId = Number(button.dataset.analysisId);
+                    const hasAnalysis = button.dataset.analysisId && Number(button.dataset.analysisId) > 0;
                     const symbol = button.dataset.symbol;
                     const name = button.dataset.name;
 
-                    if (!analysisId) {
+                    if (!hasAnalysis) {
                         return;
                     }
 
-                    openCoinAnalysisDetail(analysisId, symbol, name);
+                    // 항상 최신 분석을 symbol 기반으로 조회
+                    openCoinAnalysisDetail(symbol, name);
                 });
             });
 
@@ -1778,7 +1779,7 @@ <h6 class="border-bottom pb-2 mb-3">
             return `${minValue.toLocaleString()} ~ ${maxValue.toLocaleString()}`;
         }
 
-        async function openCoinAnalysisDetail(analysisId, symbol, name) {
+        async function openCoinAnalysisDetail(symbol, name) {
             const modalElement = document.getElementById('coinAnalysisModal');
             const modalTitle = modalElement.querySelector('.modal-title');
             const modalBody = modalElement.querySelector('.modal-body');
@@ -1802,7 +1803,8 @@ <h6 class="border-bottom pb-2 mb-3">
             modal.show();
 
             try {
-                const response = await fetch(`/analysis-json/api/detail/${analysisId}`);
+                // symbol 기반으로 최신 분석 결과를 조회
+                const response = await fetch(`/analysis-json/api/detail/by-symbol/${encodeURIComponent(symbol)}`);
                 if (!response.ok) {
                     throw new Error('Network response was not ok');
                 }