Implement Account Activity

[davinotdavid]

Description of changes

• Added two endpoints and connected them to the frontend (with some minor formatting for display purposes):
  • GET api/v1/auth/get-active-sessions/ for getting the active sessions
  • POST api/v1/auth/sign-out-session/ for logging out from a session
    • This deletes the Keycloak session and, in case you are logging yourself out, it also deletes the Django session
• Added two OIDC settings for the deletion to work:
  • OIDC_STORE_ID_TOKEN = True, needed to store the ID token in the session for session verification (ref)
  • OIDC_USE_NONCE = False, needed for .verify_token() check on the OIDC backend for session verification (OIDC_USE_NONCE)

Screenshots

How to test

• Login with two different browsers (or a normal browser + a private window), the list is desc order so if you do it in the same minute, the top one will be the second device.
• If you sign out from the session that you are not currently on, the page should refresh and you should see the entry disappear
• If you sign out from the session that you are currently on, you should be redirected to the home page without being logged in

Known issues / Things to improve

• Apparently Keycloak doesn't store device information on a session but this might be achievable using a plugin of sorts so for now we are showing "Unknown Device" for all.
• It is easier to refresh the page for now so that data is automatically re-fetched and redirect to non-logged in / non-authenticated route works automatically. However, can definitely be enhanced for a more SPA feel in the (near) future.

Related issues

#370