Session management production improvements

[am-miracle]

The current session management system needs enhancements for production readiness, including better user experience, security monitoring, and scalability features.

What's Working

• JWT with refresh tokens (15min access, 30-day refresh)
• Session limits (5 max per user) with auto-cleanup
• Database persistence for session tracking
• Proper token rotation and revocation
• Basic error handling

Production Concerns

• Session limit too low for multi-device users
• No session metadata (device, location, IP)
• No user-facing session management
• Limited security monitoring
• No "Remember this device" functionality

Proposed Improvements

1. Increase Session Limits

// Current: 5 sessions max
// Proposed: 10-15 sessions for production
const MAX_SESSIONS: u32 = 15;

2. Add Session Metadata

-- Database schema improvements
ALTER TABLE refresh_tokens ADD COLUMN device_name VARCHAR(100);
ALTER TABLE refresh_tokens ADD COLUMN ip_address INET;
ALTER TABLE refresh_tokens ADD COLUMN user_agent TEXT;
ALTER TABLE refresh_tokens ADD COLUMN location VARCHAR(100);
ALTER TABLE refresh_tokens ADD COLUMN is_remembered BOOLEAN DEFAULT FALSE;

3. Enhanced Session Model

#[derive(Debug, Clone)]
pub struct SessionInfo {
    pub id: Uuid,
    pub device_name: String,
    pub ip_address: String,
    pub user_agent: String,
    pub location: Option<String>,
    pub created_at: DateTime<Utc>,
    pub last_active: DateTime<Utc>,
    pub is_current: bool,
    pub is_remembered: bool,
}

4. Session Management API

// New endpoints
GET /api/v1/users/sessions          // List user's active sessions
DELETE /api/v1/users/sessions/{id}  // Revoke specific session
POST /api/v1/users/sessions/revoke-all  // Revoke all except current

5. Frontend Session Management UI

interface Session {
  id: string;
  device: string;
  location: string;
  lastActive: Date;
  isCurrent: boolean;
  isRemembered: boolean;
}

// Components needed:
// - SessionList component
// - SessionCard component
// - RevokeSessionButton component
// - SessionManagementPage

Security & Monitoring (Low Priority)

6. Security Enhancements

// Suspicious activity detection
- Multiple logins from different countries
- Unusual login times
- Failed login attempts tracking
- Device fingerprinting
- Rate limiting for login attempts

7. Session Analytics

// Admin dashboard features
- Active sessions per user
- Session duration analytics
- Geographic login patterns
- Device usage statistics

Success Metrics

User Experience

• Session limit increased to 15
• Users can view their active sessions
• Users can revoke individual sessions
• "Remember this device" functionality
• Session activity tracking

Security

• Session metadata collection
• Suspicious activity detection
• Failed login attempt tracking
• Geographic login monitoring

Performance

• Session queries optimized
• Database indexes added
• Session cleanup automation
• Memory usage monitoring

Additional Notes

Current Session Flow

1. User logs in → Creates new session
2. Token refresh → Creates new session (revokes old)
3. Session limit reached → Auto-revoke oldest
4. Session expires → Automatic cleanup

Proposed Enhanced Flow

1. User logs in → Creates session with metadata
2. Token refresh → Updates session activity
3. Session limit reached → Show user session management
4. Suspicious activity → Alert user/admin
5. Session expires → Automatic cleanup with analytics

Testing Requirements

• Unit tests for new session methods
• Integration tests for session API
• E2E tests for session management UI
• Performance tests for session queries
• Security tests for session validation