Invalidate all sessions by keeping track of session revision

api/resolvers/user.js

@@ -898,6 +898,14 @@ export default {
 
       await models.user.update({ where: { id: me.id }, data: { hideWelcomeBanner: true } })
       return true
+    },
+    invalidateSessions: async (parent, args, { me, models }) => {
+      if (!me) {
+        throw new GqlAuthenticationError()
+      }
+
+      await models.user.update({ where: { id: me.id }, data: { sessionRev: { increment: 1 } } })
+      return true
     }
   },
 

api/typeDefs/user.js

@@ -44,6 +44,7 @@ export default gql`
     generateApiKey(id: ID!): String
     deleteApiKey(id: ID!): User
     disableFreebies: Boolean
+    invalidateSessions: Boolean
   }
 
   type User {
@@ -197,6 +198,7 @@ export default gql`
     walletsUpdatedAt: Date
     proxyReceive: Boolean
     directReceive: Boolean
+    sessionRev: Int
     receiveCreditsBelowSats: Int!
     sendCreditsBelowSats: Int!
   }

fragments/users.js

@@ -54,6 +54,7 @@ ${STREAK_FIELDS}
       walletsUpdatedAt
       proxyReceive
       directReceive
+      sessionRev
     }
     optional {
       isContributor
@@ -117,6 +118,7 @@ export const SETTINGS_FIELDS = gql`
       apiKeyEnabled
       proxyReceive
       directReceive
+      sessionRev
       receiveCreditsBelowSats
       sendCreditsBelowSats
     }

pages/api/auth/[...nextauth].js

@@ -98,6 +98,7 @@ function getCallbacks (req, res) {
         // token won't have an id on it for new logins, we add it
         // note: token is what's kept in the jwt
         token.id = Number(user.id)
+        token.sessionRev = user.sessionRev || 0
 
         // if referrer exists, set on user
         // isNewUser doesn't work for nostr/lightning auth because we create the user before nextauth can
@@ -143,6 +144,11 @@ function getCallbacks (req, res) {
       // and returns a new object session that's returned whenever get|use[Server]Session is called
       session.user.id = token.id
 
+      // invalidate this session if session revision mismatch
+      session.user.sessionRev = token.sessionRev || 0 // if no sessionRev, set to 0, the user will have one after login
+      const sessionRev = await prisma.user.findUnique({ where: { id: session.user.id }, select: { sessionRev: true } })
+      if (session.user.sessionRev !== sessionRev?.sessionRev) return {}
+
       return session
     }
   }

pages/settings/index.js

@@ -886,6 +886,7 @@ function AuthMethods ({ methods, apiKeyEnabled }) {
           )
         }
       })}
+      <InvalidateSessions />
       <ApiKey apiKey={methods.apiKey} enabled={apiKeyEnabled} />
     </>
   )
@@ -1188,3 +1189,29 @@ const TipRandomField = () => {
     </>
   )
 }
+
+const InvalidateSessions = () => {
+  const showModal = useShowModal()
+  const router = useRouter()
+
+  const [invalidateSessions] = useMutation(gql`
+    mutation invalidateSessions {
+      invalidateSessions
+    }`
+  )
+
+  return (
+    <Button
+      variant='danger'
+      onClick={async () => {
+        const { data } = await invalidateSessions()
+        if (data.invalidateSessions) {
+          // TODO: Invalidate Sessions Obstacle
+          showModal(onClose => (router.push('/')))
+        }
+      }}
+    >
+      Invalidate Sessions
+    </Button>
+  )
+}

prisma/migrations/20250221103652_invalidate_sessions/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "users" ADD COLUMN     "sessionRev" INTEGER NOT NULL DEFAULT 0;

prisma/schema.prisma

@@ -123,6 +123,7 @@ model User {
   mcredits                  BigInt               @default(0)
   receiveCreditsBelowSats   Int                  @default(10)
   sendCreditsBelowSats      Int                  @default(10)
+  sessionRev                Int                  @default(0)
   muters                    Mute[]               @relation("muter")
   muteds                    Mute[]               @relation("muted")
   ArcOut                    Arc[]                @relation("fromUser")