Session Service
Component Detail
Service Layer
medium complexity
backend
1
Dependencies
1
Dependents
9
Entities
0
Integrations
Description
Backend service exposing REST endpoints for listing, inspecting, and revoking user sessions. Handles authorization scoping (user-own, org-scoped, cross-org for Global Admin), orchestrates refresh token deletion, and manages access token blocklisting to ensure immediate revocation takes effect even before JWT expiry.
session-service
Responsibilities
- List active sessions scoped by authorization level (own, org, global)
- Revoke individual sessions by deleting refresh tokens and blocklisting access token JTIs
- Revoke all sessions for a specific user for offboarding and security incident response
- Record session metadata (device type, user agent, IP, login timestamp, last activity) on token refresh
- Integrate with JWT infrastructure to enforce immediate token invalidation via blocklist
Interfaces
GET /api/v1/sessions?userId=&orgId=&page=&limit=
GET /api/v1/sessions/:sessionId
DELETE /api/v1/sessions/:sessionId
DELETE /api/v1/users/:userId/sessions
getActiveSessions(scope: SessionScope): Promise<PaginatedSessions>
revokeSession(sessionId: string): Promise<void>
revokeAllUserSessions(userId: string): Promise<number>
recordSessionActivity(sessionId: string, metadata: ActivityMeta): Promise<void>
addToTokenBlocklist(jti: string, expiresAt: Date): Promise<void>
isTokenBlocked(jti: string): Promise<boolean>
cleanupExpiredBlocklistEntries(): Promise<number>
Relationships
Related Data Entities (9)
Data entities managed by this component