Add session management with revocation capabilities and security fix (#822)

### Summary & Motivation

Add user session management functionality allowing users to view and
revoke active sessions across all devices and accounts. Sessions are
queried across all accounts for the user's email address using
unfiltered repository methods and displayed with device information,
browser details, IP address, and account name in a modal dialog
accessible from the user menu. Each session can be individually revoked
with confirmation dialogs to prevent accidental sign-outs. Session
revocation validates ownership by email instead of user ID, ensuring
users can revoke sessions across all their accounts.

The implementation includes a critical security fix discovered during
development:

- **Fix session lifetime extension vulnerability**: Switching accounts
previously created a new 90-day session, allowing infinite session
extension. Current session is now revoked when switching accounts, and
the new session preserves the original expiry date through a computed
`ExpiresAt` property on the Session aggregate and token generation
overloads that accept custom expiry parameters.

Backend changes include session revocation endpoints with tests,
repository methods for unfiltered session queries, `SwitchTenant` added
to `SessionRevokedReason` enum, and
`RefreshTokenGenerator.ValidForHours` made public as the single source
of truth. Frontend changes include SessionsModal component with device
type detection, user agent parsing, Smart Date formatting, confirmation
dialogs, and E2E tests covering session viewing, individual revocation,
and cross-account scenarios.

### Checklist

- [x] I have added tests, or done manual regression tests
- [x] I have updated the documentation, if necessary

Author: tjementum

application/account-management/Api/Endpoints/AuthenticationEndpoints.cs

@@ -4,6 +4,7 @@
 using PlatformPlatform.AccountManagement.Features.EmailConfirmations.Commands;
 using PlatformPlatform.AccountManagement.Features.EmailConfirmations.Domain;
 using PlatformPlatform.SharedKernel.ApiResults;
+using PlatformPlatform.SharedKernel.Authentication.TokenGeneration;
 using PlatformPlatform.SharedKernel.Endpoints;
 
 namespace PlatformPlatform.AccountManagement.Api.Endpoints;
@@ -40,6 +41,10 @@ public void MapEndpoints(IEndpointRouteBuilder routes)
             => await mediator.Send(query)
         ).Produces<UserSessionsResponse>();
 
+        group.MapDelete("/sessions/{id}", async Task<ApiResult> (SessionId id, IMediator mediator)
+            => await mediator.Send(new RevokeSessionCommand { Id = id })
+        );
+
         // Note: This endpoint must be called with the refresh token as Bearer token in the Authorization header
         routes.MapPost("/internal-api/account-management/authentication/refresh-authentication-tokens", async Task<ApiResult> (IMediator mediator)
             => await mediator.Send(new RefreshAuthenticationTokensCommand())

application/account-management/Core/Features/Authentication/Commands/RevokeSession.cs

@@ -0,0 +1,54 @@
+using JetBrains.Annotations;
+using PlatformPlatform.AccountManagement.Features.Authentication.Domain;
+using PlatformPlatform.AccountManagement.Features.Users.Domain;
+using PlatformPlatform.SharedKernel.Authentication.TokenGeneration;
+using PlatformPlatform.SharedKernel.Cqrs;
+using PlatformPlatform.SharedKernel.ExecutionContext;
+using PlatformPlatform.SharedKernel.Telemetry;
+
+namespace PlatformPlatform.AccountManagement.Features.Authentication.Commands;
+
+[PublicAPI]
+public sealed record RevokeSessionCommand : ICommand, IRequest<Result>
+{
+    [JsonIgnore]
+    public SessionId Id { get; init; } = null!;
+}
+
+public sealed class RevokeSessionHandler(
+    ISessionRepository sessionRepository,
+    IUserRepository userRepository,
+    IExecutionContext executionContext,
+    ITelemetryEventsCollector events,
+    TimeProvider timeProvider
+) : IRequestHandler<RevokeSessionCommand, Result>
+{
+    public async Task<Result> Handle(RevokeSessionCommand command, CancellationToken cancellationToken)
+    {
+        var userEmail = executionContext.UserInfo.Email!;
+
+        var session = await sessionRepository.GetByIdUnfilteredAsync(command.Id, cancellationToken);
+        if (session is null)
+        {
+            return Result.NotFound($"Session with id '{command.Id}' not found.");
+        }
+
+        var sessionUser = await userRepository.GetByIdUnfilteredAsync(session.UserId, cancellationToken);
+        if (sessionUser?.Email != userEmail)
+        {
+            return Result.Forbidden("You can only revoke your own sessions.");
+        }
+
+        if (session.IsRevoked)
+        {
+            return Result.BadRequest($"Session with id '{command.Id}' is already revoked.");
+        }
+
+        session.Revoke(timeProvider.GetUtcNow(), SessionRevokedReason.Revoked);
+        sessionRepository.Update(session);
+
+        events.CollectEvent(new SessionRevoked(SessionRevokedReason.Revoked));
+
+        return Result.Success();
+    }
+}

application/account-management/Core/Features/Authentication/Commands/SwitchTenant.cs

@@ -47,14 +47,33 @@ public async Task<Result> Handle(SwitchTenantCommand command, CancellationToken
             await CopyProfileDataFromCurrentUser(targetUser, cancellationToken);
         }
 
+        var currentSessionId = executionContext.UserInfo.SessionId;
+        var currentSession = await sessionRepository.GetByIdUnfilteredAsync(currentSessionId!, cancellationToken);
+        if (currentSession is null)
+        {
+            logger.LogWarning("Current session '{SessionId}' not found", currentSessionId);
+            return Result.Unauthorized("Current session not found.");
+        }
+
+        if (currentSession.IsRevoked)
+        {
+            logger.LogWarning("Current session '{SessionId}' is already revoked", currentSessionId);
+            return Result.Unauthorized("Session has been revoked.");
+        }
+
+        var now = timeProvider.GetUtcNow();
+        currentSession.Revoke(now, SessionRevokedReason.SwitchTenant);
+        sessionRepository.Update(currentSession);
+        events.CollectEvent(new SessionRevoked(SessionRevokedReason.SwitchTenant));
+
         var userAgent = httpContextAccessor.HttpContext?.Request.Headers.UserAgent.ToString() ?? string.Empty;
         var ipAddress = executionContext.ClientIpAddress;
 
         var session = Session.Create(targetUser.TenantId, targetUser.Id, userAgent, ipAddress);
         await sessionRepository.AddAsync(session, cancellationToken);
 
         var userInfo = await userInfoFactory.CreateUserInfoAsync(targetUser, cancellationToken, session.Id);
-        authenticationTokenService.CreateAndSetAuthenticationTokens(userInfo, session.Id, session.RefreshTokenJti);
+        authenticationTokenService.CreateAndSetAuthenticationTokens(userInfo, session.Id, session.RefreshTokenJti, currentSession.ExpiresAt);
 
         events.CollectEvent(new SessionCreated(session.Id));
         events.CollectEvent(new TenantSwitched(executionContext.TenantId!, command.TenantId, targetUser.Id));

application/account-management/Core/Features/Authentication/Domain/Session.cs

@@ -42,6 +42,8 @@ private Session(TenantId tenantId, UserId userId, DeviceType deviceType, string
 
     public bool IsRevoked => RevokedAt is not null;
 
+    public DateTimeOffset ExpiresAt => CreatedAt.AddHours(RefreshTokenGenerator.ValidForHours);
+
     public TenantId TenantId { get; }
 
     public static Session Create(TenantId tenantId, UserId userId, string userAgent, IPAddress ipAddress)

application/account-management/Core/Features/Authentication/Domain/SessionRepository.cs

@@ -15,6 +15,12 @@ public interface ISessionRepository : ICrudRepository<Session, SessionId>
     Task<Session?> GetByIdUnfilteredAsync(SessionId sessionId, CancellationToken cancellationToken);
 
     Task<Session[]> GetActiveSessionsForUserAsync(UserId userId, CancellationToken cancellationToken);
+
+    /// <summary>
+    ///     Retrieves all active sessions for multiple users across all tenants without applying query filters.
+    ///     This method should only be used in the Sessions dialog where users need to see all sessions for their email.
+    /// </summary>
+    Task<Session[]> GetActiveSessionsForUsersUnfilteredAsync(UserId[] userIds, CancellationToken cancellationToken);
 }
 
 public sealed class SessionRepository(AccountManagementDbContext accountManagementDbContext)
@@ -32,4 +38,13 @@ public async Task<Session[]> GetActiveSessionsForUserAsync(UserId userId, Cancel
             .ToArrayAsync(cancellationToken);
         return sessions.OrderByDescending(s => s.ModifiedAt ?? s.CreatedAt).ToArray();
     }
+
+    public async Task<Session[]> GetActiveSessionsForUsersUnfilteredAsync(UserId[] userIds, CancellationToken cancellationToken)
+    {
+        var sessions = await DbSet
+            .IgnoreQueryFilters()
+            .Where(s => userIds.AsEnumerable().Contains(s.UserId) && s.RevokedAt == null)
+            .ToArrayAsync(cancellationToken);
+        return sessions.OrderByDescending(s => s.ModifiedAt ?? s.CreatedAt).ToArray();
+    }
 }

application/account-management/Core/Features/Authentication/Domain/SessionTypes.cs

@@ -17,5 +17,7 @@ public enum DeviceType
 public enum SessionRevokedReason
 {
     LoggedOut,
-    ReplayAttackDetected
+    Revoked,
+    ReplayAttackDetected,
+    SwitchTenant
 }

application/account-management/Core/Features/Authentication/Queries/GetUserSessions.cs

@@ -1,5 +1,7 @@
 using JetBrains.Annotations;
 using PlatformPlatform.AccountManagement.Features.Authentication.Domain;
+using PlatformPlatform.AccountManagement.Features.Tenants.Domain;
+using PlatformPlatform.AccountManagement.Features.Users.Domain;
 using PlatformPlatform.SharedKernel.Authentication.TokenGeneration;
 using PlatformPlatform.SharedKernel.Cqrs;
 using PlatformPlatform.SharedKernel.ExecutionContext;
@@ -20,18 +22,30 @@ public sealed record UserSessionInfo(
     string UserAgent,
     string IpAddress,
     DateTimeOffset LastActivityAt,
-    bool IsCurrent
+    bool IsCurrent,
+    string TenantName
 );
 
-public sealed class GetUserSessionsHandler(ISessionRepository sessionRepository, IExecutionContext executionContext)
-    : IRequestHandler<GetUserSessionsQuery, Result<UserSessionsResponse>>
+public sealed class GetUserSessionsHandler(
+    ISessionRepository sessionRepository,
+    IUserRepository userRepository,
+    ITenantRepository tenantRepository,
+    IExecutionContext executionContext
+) : IRequestHandler<GetUserSessionsQuery, Result<UserSessionsResponse>>
 {
     public async Task<Result<UserSessionsResponse>> Handle(GetUserSessionsQuery query, CancellationToken cancellationToken)
     {
-        var userId = executionContext.UserInfo.Id!;
+        var userEmail = executionContext.UserInfo.Email!;
         var currentSessionId = executionContext.UserInfo.SessionId;
 
-        var sessions = await sessionRepository.GetActiveSessionsForUserAsync(userId, cancellationToken);
+        var users = await userRepository.GetUsersByEmailUnfilteredAsync(userEmail, cancellationToken);
+        var userIds = users.Select(u => u.Id).ToArray();
+
+        var sessions = await sessionRepository.GetActiveSessionsForUsersUnfilteredAsync(userIds, cancellationToken);
+
+        var tenantIds = sessions.Select(s => s.TenantId).Distinct().ToArray();
+        var tenants = await tenantRepository.GetByIdsAsync(tenantIds, cancellationToken);
+        var tenantLookup = tenants.ToDictionary(t => t.Id, t => t.Name);
 
         var sessionInfos = sessions.Select(s => new UserSessionInfo(
                 s.Id,
@@ -40,7 +54,8 @@ public async Task<Result<UserSessionsResponse>> Handle(GetUserSessionsQuery quer
                 s.UserAgent,
                 s.IpAddress,
                 s.ModifiedAt ?? s.CreatedAt,
-                currentSessionId is not null && s.Id == currentSessionId
+                currentSessionId is not null && s.Id == currentSessionId,
+                tenantLookup.GetValueOrDefault(s.TenantId) ?? string.Empty
             )
         ).ToArray();
 

application/account-management/Tests/Authentication/GetUserSessionsTests.cs

@@ -4,6 +4,7 @@
 using PlatformPlatform.AccountManagement.Features.Authentication.Domain;
 using PlatformPlatform.AccountManagement.Features.Authentication.Queries;
 using PlatformPlatform.SharedKernel.Authentication.TokenGeneration;
+using PlatformPlatform.SharedKernel.Domain;
 using PlatformPlatform.SharedKernel.Tests;
 using PlatformPlatform.SharedKernel.Tests.Persistence;
 using Xunit;
@@ -75,6 +76,34 @@ public async Task GetUserSessions_ShouldNotReturnOtherUserSessions()
         responseBody.Sessions.Should().Contain(s => s.Id == DatabaseSeeder.Tenant1OwnerSession.Id);
     }
 
+    [Fact]
+    public async Task GetUserSessions_ShouldReturnSessionsAcrossAllTenants()
+    {
+        // Arrange
+        var tenant2Name = "Tenant 2";
+        var tenant2Id = InsertTenant(tenant2Name);
+        var user2Id = UserId.NewId();
+        InsertUser(tenant2Id, user2Id, DatabaseSeeder.Tenant1Owner.Email);
+        var tenant2SessionId = InsertSession(tenant2Id, user2Id);
+
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.GetAsync("/api/account-management/authentication/sessions");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var responseBody = await response.DeserializeResponse<UserSessionsResponse>();
+        responseBody.Should().NotBeNull();
+        responseBody.Sessions.Length.Should().Be(2);
+        responseBody.Sessions.Should().Contain(s => s.Id == DatabaseSeeder.Tenant1OwnerSession.Id);
+        responseBody.Sessions.Should().Contain(s => s.Id == new SessionId(tenant2SessionId));
+
+        var tenant1Session = responseBody.Sessions.Single(s => s.Id == DatabaseSeeder.Tenant1OwnerSession.Id);
+        tenant1Session.TenantName.Should().Be(DatabaseSeeder.Tenant1.Name);
+
+        var tenant2Session = responseBody.Sessions.Single(s => s.Id == new SessionId(tenant2SessionId));
+        tenant2Session.TenantName.Should().Be(tenant2Name);
+    }
+
     [Fact]
     public async Task GetUserSessions_ShouldNotReturnRevokedSessions()
     {
@@ -94,6 +123,45 @@ public async Task GetUserSessions_ShouldNotReturnRevokedSessions()
         responseBody.Sessions.Should().Contain(s => s.Id == DatabaseSeeder.Tenant1OwnerSession.Id);
     }
 
+    private long InsertTenant(string name)
+    {
+        var tenantId = TenantId.NewId().Value;
+        var now = TimeProvider.System.GetUtcNow();
+
+        Connection.Insert("Tenants", [
+                ("Id", tenantId),
+                ("CreatedAt", now),
+                ("ModifiedAt", null),
+                ("Name", name),
+                ("State", "Active"),
+                ("Logo", """{"Url":null,"Version":0}""")
+            ]
+        );
+
+        return tenantId;
+    }
+
+    private void InsertUser(long tenantId, UserId userId, string email)
+    {
+        var now = TimeProvider.System.GetUtcNow();
+
+        Connection.Insert("Users", [
+                ("TenantId", tenantId),
+                ("Id", userId.ToString()),
+                ("CreatedAt", now),
+                ("ModifiedAt", null),
+                ("Email", email),
+                ("EmailConfirmed", true),
+                ("FirstName", "Test"),
+                ("LastName", "User"),
+                ("Title", null),
+                ("Avatar", """{"Url":null,"Version":0,"IsGravatar":false}"""),
+                ("Role", "Owner"),
+                ("Locale", "en-US")
+            ]
+        );
+    }
+
     private string InsertSession(long tenantId, string userId, bool isRevoked = false)
     {
         var sessionId = SessionId.NewId().ToString();