package api import ( "encoding/json" "fmt" "net/http" "net/url" "carcontrol/api/internal/auth" "carcontrol/api/internal/models" ) // handleListSessions lists the current user's active (non-revoked) logins, // flagging which one is the request being made right now. func (s *Server) handleListSessions(w http.ResponseWriter, r *http.Request) { claims, ok := r.Context().Value(claimsKey).(*auth.Claims) if !ok { writeError(w, http.StatusUnauthorized, "not authenticated") return } res, err := s.pb.List(r.Context(), colSessions, url.Values{ "filter": {fmt.Sprintf("user='%s' && revoked=false", claims.Sub)}, "sort": {"-created"}, "perPage": {"50"}, }) if err != nil { writePBError(w, err) return } var recs []sessionRecord if err := json.Unmarshal(res.Items, &recs); err != nil { writeError(w, http.StatusInternalServerError, err.Error()) return } out := make([]models.Session, 0, len(recs)) for _, rec := range recs { out = append(out, models.Session{ ID: rec.ID, DeviceLabel: rec.DeviceLabel, IP: rec.IP, Current: rec.Jti == claims.Jti, Created: parsePBDate(rec.Created), ExpiresAt: parsePBDate(rec.ExpiresAt), }) } writeJSON(w, http.StatusOK, out) } // handleRevokeSession logs out one specific device (including possibly the // current one, same as an ordinary logout). func (s *Server) handleRevokeSession(w http.ResponseWriter, r *http.Request) { claims, ok := r.Context().Value(claimsKey).(*auth.Claims) if !ok { writeError(w, http.StatusUnauthorized, "not authenticated") return } id := r.PathValue("id") var rec sessionRecord if err := s.pb.GetOne(r.Context(), colSessions, id, &rec); err != nil { writePBError(w, err) return } if rec.User != claims.Sub { writeError(w, http.StatusNotFound, "session not found") return } if err := s.pb.Update(r.Context(), colSessions, id, map[string]any{"revoked": true}, nil); err != nil { writePBError(w, err) return } w.WriteHeader(http.StatusNoContent) } // handleRevokeOtherSessions logs out every device except the one making this // request ("log out everywhere else"). func (s *Server) handleRevokeOtherSessions(w http.ResponseWriter, r *http.Request) { claims, ok := r.Context().Value(claimsKey).(*auth.Claims) if !ok { writeError(w, http.StatusUnauthorized, "not authenticated") return } res, err := s.pb.List(r.Context(), colSessions, url.Values{ "filter": {fmt.Sprintf("user='%s' && revoked=false && jti!='%s'", claims.Sub, claims.Jti)}, "perPage": {"200"}, }) if err != nil { writePBError(w, err) return } var recs []sessionRecord if err := json.Unmarshal(res.Items, &recs); err != nil { writeError(w, http.StatusInternalServerError, err.Error()) return } for _, rec := range recs { if err := s.pb.Update(r.Context(), colSessions, rec.ID, map[string]any{"revoked": true}, nil); err != nil { writePBError(w, err) return } } writeJSON(w, http.StatusOK, map[string]int{"revoked": len(recs)}) }