feat: Implement invalidateAllSessions function in Basic API (#1767)

Co-authored-by: pilcrowOnPaper <pilcrowonpaper@gmail.com>
lucia-auth · Feb 12, 2025 · f4333e2 · f4333e2
1 parent 999c797
commit f4333e2
Show file tree

Hide file tree

Showing 6 changed files with 118 additions and 4 deletions.
diff --git a/pages/sessions/basic-api/drizzle-orm.md b/pages/sessions/basic-api/drizzle-orm.md
@@ -132,6 +132,10 @@ export async function invalidateSession(sessionId: string): Promise<void> {
 	// TODO
 }
 
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	// TODO
+}
+
 export type SessionValidationResult =
 	| { session: Session; user: User }
 	| { session: null; user: null };
@@ -230,14 +234,18 @@ export async function validateSessionToken(token: string): Promise<SessionValida
 Finally, invalidate sessions by simply deleting it from the database.
 
 ```ts
-import { eq } from "drizzle-orm";
 import { db, userTable, sessionTable } from "./db.js";
+import { eq } from "drizzle-orm";
 
 // ...
 
 export async function invalidateSession(sessionId: string): Promise<void> {
 	await db.delete(sessionTable).where(eq(sessionTable.id, sessionId));
 }
+
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	await db.delete(sessionTable).where(eq(sessionTable.userId, userId));
+}
 ```
 
 Here's the full code:
@@ -299,6 +307,10 @@ export async function invalidateSession(sessionId: string): Promise<void> {
 	await db.delete(sessionTable).where(eq(sessionTable.id, sessionId));
 }
 
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	await db.delete(sessionTable).where(eq(sessionTable.userId, userId));
+}
+
 export type SessionValidationResult =
 	| { session: Session; user: User }
 	| { session: null; user: null };

diff --git a/pages/sessions/basic-api/mysql.md b/pages/sessions/basic-api/mysql.md
@@ -56,6 +56,10 @@ export async function invalidateSession(sessionId: string): Promise<void> {
 	// TODO
 }
 
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	// TODO
+}
+
 export type SessionValidationResult =
 	| { session: Session; user: User }
 	| { session: null; user: null };
@@ -179,6 +183,10 @@ import { db } from "./db.js";
 export async function invalidateSession(sessionId: string): Promise<void> {
 	await db.execute("DELETE FROM user_session WHERE id = ?", sessionId);
 }
+
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	await db.execute("DELETE FROM user_session WHERE user_id = ?", userId);
+}
 ```
 
 Here's the full code:
@@ -247,6 +255,10 @@ export async function invalidateSession(sessionId: string): Promise<void> {
 	await db.execute("DELETE FROM user_session WHERE id = ?", sessionId);
 }
 
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	await db.execute("DELETE FROM user_session WHERE user_id = ?", userId);
+}
+
 export type SessionValidationResult =
 	| { session: Session; user: User }
 	| { session: null; user: null };

diff --git a/pages/sessions/basic-api/postgresql.md b/pages/sessions/basic-api/postgresql.md
@@ -56,6 +56,10 @@ export async function invalidateSession(sessionId: string): Promise<void> {
 	// TODO
 }
 
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	// TODO
+}
+
 export type SessionValidationResult =
 	| { session: Session; user: User }
 	| { session: null; user: null };
@@ -179,6 +183,10 @@ import { db } from "./db.js";
 export async function invalidateSession(sessionId: string): Promise<void> {
 	await db.execute("DELETE FROM user_session WHERE id = ?", sessionId);
 }
+
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	await db.execute("DELETE FROM user_session WHERE user_id = ?", userId);
+}
 ```
 
 Here's the full code:
@@ -247,6 +255,10 @@ export async function invalidateSession(sessionId: string): Promise<void> {
 	await db.execute("DELETE FROM user_session WHERE id = ?", sessionId);
 }
 
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	await db.execute("DELETE FROM user_session WHERE user_id = ?", userId);
+}
+
 export type SessionValidationResult =
 	| { session: Session; user: User }
 	| { session: null; user: null };

diff --git a/pages/sessions/basic-api/prisma.md b/pages/sessions/basic-api/prisma.md
@@ -58,6 +58,10 @@ export async function invalidateSession(sessionId: string): Promise<void> {
 	// TODO
 }
 
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	// TODO
+}
+
 export type SessionValidationResult =
 	| { session: Session; user: User }
 	| { session: null; user: null };
@@ -168,6 +172,14 @@ import { prisma } from "./db.js";
 export async function invalidateSession(sessionId: string): Promise<void> {
 	await prisma.session.delete({ where: { id: sessionId } });
 }
+
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	await prisma.session.deleteMany({
+		where: {
+			userId: userId
+		}
+	});
+}
 ```
 
 Here's the full code:
@@ -235,6 +247,14 @@ export async function invalidateSession(sessionId: string): Promise<void> {
 	await prisma.session.delete({ where: { id: sessionId } });
 }
 
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	await prisma.session.deleteMany({
+		where: {
+			userId: userId
+		}
+	});
+}
+
 export type SessionValidationResult =
 	| { session: Session; user: User }
 	| { session: null; user: null };

diff --git a/pages/sessions/basic-api/redis.md b/pages/sessions/basic-api/redis.md
@@ -33,6 +33,10 @@ export async function invalidateSession(sessionId: string): Promise<void> {
 	// TODO
 }
 
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	// TODO
+}
+
 export interface Session {
 	id: string;
 	userId: number;
@@ -63,7 +67,7 @@ export function generateSessionToken(): string {
 
 > You can use UUID v4 here but the RFC does not mandate that IDs are generated using a secure random source. Do not use libraries that are not clear on the source they use. Do not use other UUID versions as they do not offer the same entropy size as v4. Consider using [`Crypto.randomUUID()`](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/randomUUID).
 
-The session ID will be SHA-256 hash of the token. We'll set the expiration to 30 days.
+The session ID will be SHA-256 hash of the token. We'll set the expiration to 30 days. We'll also keep a list of sessions linked to each user.
 
 ```ts
 import { redis } from "./redis.js";
@@ -90,6 +94,8 @@ export async function createSession(token: string, userId: number): Promise<Sess
 			EXAT: Math.floor(session.expiresAt / 1000)
 		}
 	);
+	await redis.sadd(`user_sessions:${userId}`, sessionId);
+
 	return session;
 }
 ```
@@ -114,6 +120,7 @@ export async function validateSessionToken(token: string): Promise<Session | nul
 	if (item === null) {
 		return null;
 	}
+
 	const result = JSON.parse(item);
 	const session: Session = {
 		id: result.id,
@@ -122,6 +129,7 @@ export async function validateSessionToken(token: string): Promise<Session | nul
 	};
 	if (Date.now() >= session.expiresAt.getTime()) {
 		await redis.delete(`session:${sessionId}`);
+		await redis.srem(`user_sessions:${userId}`, sessionId);
 		return null;
 	}
 	if (Date.now() >= session.expiresAt.getTime() - 1000 * 60 * 60 * 24 * 15) {
@@ -149,8 +157,25 @@ import { redis } from "./redis.js";
 
 // ...
 
-export async function invalidateSession(sessionId: string): Promise<void> {
+export async function invalidateSession(sessionId: string, userId: number): Promise<void> {
 	await redis.delete(`session:${sessionId}`);
+	await redis.srem(`user_sessions:${userId}`, sessionId);
+}
+
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	const sessionIds = await redis.smembers(`user_sessions:${userId}`);
+	if (sessionIds.length < 1) {
+		return;
+	}
+
+	const pipeline = redis.pipeline();
+
+	for (const sessionId of sessionIds) {
+		pipeline.unlink(`session:${sessionId}`);
+	}
+	pipeline.unlink(`user_sessions:${userId}`);
+
+	await pipeline.exec();
 }
 ```
 
@@ -186,6 +211,8 @@ export async function createSession(token: string, userId: number): Promise<Sess
 			EXAT: Math.floor(session.expiresAt / 1000)
 		}
 	);
+	await redis.sadd(`user_sessions:${userId}`, sessionId);
+
 	return session;
 }
 
@@ -195,6 +222,7 @@ export async function validateSessionToken(token: string): Promise<Session | nul
 	if (item === null) {
 		return null;
 	}
+
 	const result = JSON.parse(item);
 	const session: Session = {
 		id: result.id,
@@ -203,6 +231,7 @@ export async function validateSessionToken(token: string): Promise<Session | nul
 	};
 	if (Date.now() >= session.expiresAt.getTime()) {
 		await redis.delete(`session:${sessionId}`);
+		await redis.srem(`user_sessions:${userId}`, sessionId);
 		return null;
 	}
 	if (Date.now() >= session.expiresAt.getTime() - 1000 * 60 * 60 * 24 * 15) {
@@ -222,8 +251,25 @@ export async function validateSessionToken(token: string): Promise<Session | nul
 	return session;
 }
 
-export async function invalidateSession(sessionId: string): Promise<void> {
+export async function invalidateSession(sessionId: string, userId: number): Promise<void> {
 	await redis.delete(`session:${sessionId}`);
+	await redis.srem(`user_sessions:${userId}`, sessionId);
+}
+
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	const sessionIds = await redis.smembers(`user_sessions:${userId}`);
+	if (sessionIds.length < 1) {
+		return;
+	}
+
+	const pipeline = redis.pipeline();
+
+	for (const sessionId of sessionIds) {
+		pipeline.unlink(`session:${sessionId}`);
+	}
+	pipeline.unlink(`user_sessions:${userId}`);
+
+	await pipeline.exec();
 }
 
 export interface Session {

diff --git a/pages/sessions/basic-api/sqlite.md b/pages/sessions/basic-api/sqlite.md
@@ -56,6 +56,10 @@ export function invalidateSession(sessionId: string): void {
 	// TODO
 }
 
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	// TODO
+}
+
 export type SessionValidationResult =
 	| { session: Session; user: User }
 	| { session: null; user: null };
@@ -179,6 +183,10 @@ import { db } from "./db.js";
 export function invalidateSession(sessionId: string): void {
 	db.execute("DELETE FROM session WHERE id = ?", sessionId);
 }
+
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	await db.execute("DELETE FROM user_session WHERE user_id = ?", userId);
+}
 ```
 
 Here's the full code:
@@ -247,6 +255,10 @@ export function invalidateSession(sessionId: string): void {
 	db.execute("DELETE FROM session WHERE id = ?", sessionId);
 }
 
+export async function invalidateAllSessions(userId: number): Promise<void> {
+	await db.execute("DELETE FROM user_session WHERE user_id = ?", userId);
+}
+
 export type SessionValidationResult =
 	| { session: Session; user: User }
 	| { session: null; user: null };