Add LICENSE

Reviewed-on: #2

.gitignore

@@ -27,6 +27,7 @@ go.work.sum
 
 # env file
 .env
+.env.remote
 
 # key files
 *.pem

LICENSE

@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.

internal/admin/routes.go

@@ -21,7 +21,7 @@ func New(repo *repository.Queries, cfg *config.AppConfig) *AdminHandler {
 
 func (h *AdminHandler) RegisterRoutes(router chi.Router) {
 	router.Route("/admin", func(r chi.Router) {
-		authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
+		authMiddleware := imiddleware.NewAuthMiddleware(h.cfg, h.repo)
 		adminMiddleware := imiddleware.NewAdminMiddleware(h.repo)
 		r.Use(authMiddleware.Runner, adminMiddleware.Runner)
 
@@ -37,7 +37,10 @@ func (h *AdminHandler) RegisterRoutes(router chi.Router) {
 		r.Get("/users/{id}", h.GetUser)
 
 		r.Get("/user-sessions", h.GetUserSessions)
+		r.Patch("/user-sessions/revoke/{id}", h.RevokeUserSession)
+
 		r.Get("/service-sessions", h.GetServiceSessions)
+		r.Patch("/service-sessions/revoke/{id}", h.RevokeUserSession)
 	})
 
 	router.Get("/api-services/client/{client_id}", h.GetApiServiceCID)

internal/admin/sessions.go

@@ -3,17 +3,20 @@ package admin
 import (
 	"encoding/json"
 	"log"
+	"math"
 	"net/http"
 	"strconv"
 
 	"gitea.local/admin/hspguard/internal/repository"
 	"gitea.local/admin/hspguard/internal/types"
 	"gitea.local/admin/hspguard/internal/web"
+	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
 )
 
 type GetSessionsParams struct {
-	Limit  int32 `json:"limit"`
+	PageSize int `json:"size"`
-	Offset int32 `json:"offset"`
+	Page     int `json:"page"`
 	// TODO: More filtering possibilities like onlyActive, expired, not-expired etc.
 }
 
@@ -22,17 +25,22 @@ func (h *AdminHandler) GetUserSessions(w http.ResponseWriter, r *http.Request) {
 
 	params := GetSessionsParams{}
 
-	if limit, err := strconv.Atoi(q.Get("limit")); err == nil {
+	if pageSize, err := strconv.Atoi(q.Get("size")); err == nil {
-		params.Limit = int32(limit)
+		params.PageSize = pageSize
+	} else {
+		params.PageSize = 15
 	}
 
-	if offset, err := strconv.Atoi(q.Get("offset")); err == nil {
+	if page, err := strconv.Atoi(q.Get("page")); err == nil {
-		params.Offset = int32(offset)
+		params.Page = page
+	} else {
+		web.Error(w, "page is required", http.StatusBadRequest)
+		return
 	}
 
 	sessions, err := h.repo.GetUserSessions(r.Context(), repository.GetUserSessionsParams{
-		Limit:  params.Limit,
+		Limit:  int32(params.PageSize),
-		Offset: params.Offset,
+		Offset: int32(params.Page-1) * int32(params.PageSize),
 	})
 	if err != nil {
 		log.Println("ERR: Failed to read user sessions from db:", err)
@@ -40,35 +48,81 @@ func (h *AdminHandler) GetUserSessions(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	var mapped []*types.UserSessionDTO
+	totalSessions, err := h.repo.GetUserSessionsCount(r.Context())
+	if err != nil {
+		log.Println("ERR: Failed to get total count of user sessions:", err)
+		web.Error(w, "failed to retrieve sessions", http.StatusInternalServerError)
+		return
+	}
+
+	mapped := make([]*types.UserSessionDTO, 0)
 
 	for _, session := range sessions {
 		mapped = append(mapped, types.NewUserSessionDTO(&session))
 	}
 
-	if err := json.NewEncoder(w).Encode(mapped); err != nil {
+	type Response struct {
+		Items      []*types.UserSessionDTO `json:"items"`
+		Page       int                     `json:"page"`
+		TotalPages int                     `json:"total_pages"`
+	}
+
+	response := Response{
+		Items:      mapped,
+		Page:       params.Page,
+		TotalPages: int(math.Ceil(float64(totalSessions) / float64(params.PageSize))),
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := json.NewEncoder(w).Encode(response); err != nil {
 		log.Println("ERR: Failed to encode sessions in response:", err)
 		web.Error(w, "failed to encode sessions", http.StatusInternalServerError)
 		return
 	}
 }
 
+func (h *AdminHandler) RevokeUserSession(w http.ResponseWriter, r *http.Request) {
+	sessionId := chi.URLParam(r, "id")
+	parsed, err := uuid.Parse(sessionId)
+	if err != nil {
+		web.Error(w, "provided service id is not valid", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.repo.RevokeUserSession(r.Context(), parsed); err != nil {
+		log.Println("ERR: Failed to revoke user session:", err)
+		web.Error(w, "failed to revoke user session", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+
+	w.WriteHeader(http.StatusOK)
+	w.Write([]byte("{\"success\":true}"))
+}
+
 func (h *AdminHandler) GetServiceSessions(w http.ResponseWriter, r *http.Request) {
 	q := r.URL.Query()
 
 	params := GetSessionsParams{}
 
-	if limit, err := strconv.Atoi(q.Get("limit")); err == nil {
+	if pageSize, err := strconv.Atoi(q.Get("size")); err == nil {
-		params.Limit = int32(limit)
+		params.PageSize = pageSize
+	} else {
+		params.PageSize = 15
 	}
 
-	if offset, err := strconv.Atoi(q.Get("offset")); err == nil {
+	if page, err := strconv.Atoi(q.Get("page")); err == nil {
-		params.Offset = int32(offset)
+		params.Page = page
+	} else {
+		web.Error(w, "page is required", http.StatusBadRequest)
+		return
 	}
 
 	sessions, err := h.repo.GetServiceSessions(r.Context(), repository.GetServiceSessionsParams{
-		Limit:  params.Limit,
+		Limit:  int32(params.PageSize),
-		Offset: params.Offset,
+		Offset: int32(params.Page-1) * int32(params.PageSize),
 	})
 	if err != nil {
 		log.Println("ERR: Failed to read api sessions from db:", err)
@@ -76,14 +130,53 @@ func (h *AdminHandler) GetServiceSessions(w http.ResponseWriter, r *http.Request
 		return
 	}
 
-	var mapped []*types.ServiceSessionDTO
+	totalSessions, err := h.repo.GetServiceSessionsCount(r.Context())
+	if err != nil {
+		log.Println("ERR: Failed to get total count of service sessions:", err)
+		web.Error(w, "failed to retrieve sessions", http.StatusInternalServerError)
+		return
+	}
+
+	mapped := make([]*types.ServiceSessionDTO, 0)
 
 	for _, session := range sessions {
 		mapped = append(mapped, types.NewServiceSessionDTO(&session))
 	}
 
-	if err := json.NewEncoder(w).Encode(sessions); err != nil {
+	type Response struct {
+		Items      []*types.ServiceSessionDTO `json:"items"`
+		Page       int                        `json:"page"`
+		TotalPages int                        `json:"total_pages"`
+	}
+
+	response := Response{
+		Items:      mapped,
+		Page:       params.Page,
+		TotalPages: int(math.Ceil(float64(totalSessions) / float64(params.PageSize))),
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := json.NewEncoder(w).Encode(response); err != nil {
 		log.Println("ERR: Failed to encode sessions in response:", err)
 		web.Error(w, "failed to encode sessions", http.StatusInternalServerError)
 	}
 }
+
+func (h *AdminHandler) RevokeServiceSession(w http.ResponseWriter, r *http.Request) {
+	sessionId := chi.URLParam(r, "id")
+	parsed, err := uuid.Parse(sessionId)
+	if err != nil {
+		web.Error(w, "provided service id is not valid", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.repo.RevokeServiceSession(r.Context(), parsed); err != nil {
+		log.Println("ERR: Failed to revoke service session:", err)
+		web.Error(w, "failed to revoke service session", http.StatusInternalServerError)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+	w.Write([]byte("{\"success\":true}"))
+}

internal/auth/routes.go

@@ -20,21 +20,7 @@ type AuthHandler struct {
 	cfg   *config.AppConfig
 }
 
-type SignedToken struct {
+func (h *AuthHandler) signTokens(user *repository.User) (*types.SignedToken, *types.SignedToken, error) {
-	Token     string
-	ExpiresAt time.Time
-	ID        uuid.UUID
-}
-
-func NewSignedToken(token string, expiresAt time.Time, jti uuid.UUID) *SignedToken {
-	return &SignedToken{
-		Token:     token,
-		ExpiresAt: expiresAt,
-		ID:        jti,
-	}
-}
-
-func (h *AuthHandler) signTokens(user *repository.User) (*SignedToken, *SignedToken, error) {
 	accessExpiresAt := time.Now().Add(15 * time.Minute)
 	accessJTI := uuid.New()
 
@@ -75,7 +61,7 @@ func (h *AuthHandler) signTokens(user *repository.User) (*SignedToken, *SignedTo
 		return nil, nil, err
 	}
 
-	return NewSignedToken(accessToken, accessExpiresAt, accessJTI), NewSignedToken(refreshToken, refreshExpiresAt, refreshJTI), nil
+	return types.NewSignedToken(accessToken, accessExpiresAt, accessJTI), types.NewSignedToken(refreshToken, refreshExpiresAt, refreshJTI), nil
 }
 
 func NewAuthHandler(repo *repository.Queries, cache *cache.Client, cfg *config.AppConfig) *AuthHandler {
@@ -89,7 +75,7 @@ func NewAuthHandler(repo *repository.Queries, cache *cache.Client, cfg *config.A
 func (h *AuthHandler) RegisterRoutes(api chi.Router) {
 	api.Route("/auth", func(r chi.Router) {
 		r.Group(func(protected chi.Router) {
-			authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
+			authMiddleware := imiddleware.NewAuthMiddleware(h.cfg, h.repo)
 			protected.Use(authMiddleware.Runner)
 
 			protected.Get("/profile", h.getProfile)

internal/middleware/auth.go

@@ -3,22 +3,27 @@ package middleware
 import (
 	"context"
 	"fmt"
+	"log"
 	"net/http"
 	"strings"
 
 	"gitea.local/admin/hspguard/internal/config"
+	"gitea.local/admin/hspguard/internal/repository"
 	"gitea.local/admin/hspguard/internal/types"
 	"gitea.local/admin/hspguard/internal/util"
 	"gitea.local/admin/hspguard/internal/web"
+	"github.com/google/uuid"
 )
 
 type AuthMiddleware struct {
 	cfg  *config.AppConfig
+	repo *repository.Queries
 }
 
-func NewAuthMiddleware(cfg *config.AppConfig) *AuthMiddleware {
+func NewAuthMiddleware(cfg *config.AppConfig, repo *repository.Queries) *AuthMiddleware {
 	return &AuthMiddleware{
 		cfg,
+		repo,
 	}
 }
 
@@ -45,6 +50,26 @@ func (m *AuthMiddleware) Runner(next http.Handler) http.Handler {
 			return
 		}
 
+		// TODO: redis caching
+		parsed, err := uuid.Parse(userClaims.ID)
+		if err != nil {
+			log.Printf("ERR: Failed to parse token JTI '%s': %v\n", userClaims.ID, err)
+			web.Error(w, "failed to get session", http.StatusUnauthorized)
+			return
+		}
+		session, err := m.repo.GetUserSessionByAccessJTI(r.Context(), &parsed)
+		if err != nil {
+			log.Printf("ERR: Failed to find session with '%s' JTI: %v\n", parsed.String(), err)
+			web.Error(w, "no session found", http.StatusUnauthorized)
+			return
+		}
+
+		if !session.IsActive {
+			log.Printf("INFO: Inactive session trying to authorize: %s\n", session.AccessTokenID)
+			web.Error(w, "no session found", http.StatusUnauthorized)
+			return
+		}
+
 		ctx := context.WithValue(r.Context(), types.UserIdKey, userClaims.Subject)
 		ctx = context.WithValue(ctx, types.JTIKey, userClaims.ID)
 		next.ServeHTTP(w, r.WithContext(ctx))

internal/oauth/routes.go

@@ -25,7 +25,7 @@ func NewOAuthHandler(repo *repository.Queries, cache *cache.Client, cfg *config.
 func (h *OAuthHandler) RegisterRoutes(router chi.Router) {
 	router.Route("/oauth", func(r chi.Router) {
 		r.Group(func(protected chi.Router) {
-			authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
+			authMiddleware := imiddleware.NewAuthMiddleware(h.cfg, h.repo)
 			protected.Use(authMiddleware.Runner)
 
 			protected.Post("/code", h.getAuthCode)

internal/oauth/token.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
+	"math"
 	"net/http"
 	"strings"
 	"time"
@@ -17,20 +18,10 @@ import (
 	"github.com/google/uuid"
 )
 
-type ApiToken struct {
+func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *repository.ApiService, nonce *string) (*types.SignedToken, *types.SignedToken, *types.SignedToken, error) {
-	Token      string
-	Expiration float64
-}
-
-type ApiTokens struct {
-	ID      ApiToken
-	Access  ApiToken
-	Refresh ApiToken
-}
-
-func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *repository.ApiService, nonce *string) (*ApiTokens, error) {
 	accessExpiresIn := 15 * time.Minute
 	accessExpiresAt := time.Now().Add(accessExpiresIn)
+	accessJTI := uuid.New()
 
 	accessClaims := types.ApiClaims{
 		Permissions: []string{},
@@ -40,12 +31,13 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
 			Audience:  jwt.ClaimStrings{apiService.ClientID},
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 			ExpiresAt: jwt.NewNumericDate(accessExpiresAt),
+			ID:        accessJTI.String(),
 		},
 	}
 
 	access, err := util.SignJwtToken(accessClaims, h.cfg.Jwt.PrivateKey)
 	if err != nil {
-		return nil, err
+		return nil, nil, nil, err
 	}
 
 	var roles = []string{"user"}
@@ -56,6 +48,7 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
 
 	idExpiresIn := 15 * time.Minute
 	idExpiresAt := time.Now().Add(idExpiresIn)
+	idJTI := uuid.New()
 
 	idClaims := types.IdTokenClaims{
 		Email:         user.Email,
@@ -70,16 +63,18 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
 			Audience:  jwt.ClaimStrings{apiService.ClientID},
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 			ExpiresAt: jwt.NewNumericDate(idExpiresAt),
+			ID:        idJTI.String(),
 		},
 	}
 
 	idToken, err := util.SignJwtToken(idClaims, h.cfg.Jwt.PrivateKey)
 	if err != nil {
-		return nil, err
+		return nil, nil, nil, err
 	}
 
 	refreshExpiresIn := 24 * time.Hour
 	refreshExpiresAt := time.Now().Add(refreshExpiresIn)
+	refreshJTI := uuid.New()
 
 	refreshClaims := types.ApiRefreshClaims{
 		UserID: user.ID.String(),
@@ -89,28 +84,16 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
 			Audience:  jwt.ClaimStrings{apiService.ClientID},
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 			ExpiresAt: jwt.NewNumericDate(refreshExpiresAt),
+			ID:        refreshJTI.String(),
 		},
 	}
 
 	refresh, err := util.SignJwtToken(refreshClaims, h.cfg.Jwt.PrivateKey)
 	if err != nil {
-		return nil, err
+		return nil, nil, nil, err
 	}
 
-	return &ApiTokens{
+	return types.NewSignedToken(idToken, idExpiresAt, idJTI), types.NewSignedToken(access, accessExpiresAt, accessJTI), types.NewSignedToken(refresh, refreshExpiresAt, refreshJTI), nil
-		ID: ApiToken{
-			Token:      idToken,
-			Expiration: idExpiresIn.Seconds(),
-		},
-		Access: ApiToken{
-			Token:      access,
-			Expiration: accessExpiresIn.Seconds(),
-		},
-		Refresh: ApiToken{
-			Token:      refresh,
-			Expiration: refreshExpiresIn.Seconds(),
-		},
-	}, nil
 }
 
 func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
@@ -174,40 +157,71 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 
 		fmt.Printf("Code received: %s\n", code)
 
-		session, err := h.cache.GetAuthCode(r.Context(), code)
+		codeSession, err := h.cache.GetAuthCode(r.Context(), code)
 		if err != nil {
 			log.Printf("ERR: Failed to find session under the code %s: %v\n", code, err)
 			web.Error(w, "no session found under this auth code", http.StatusNotFound)
 			return
 		}
 
-		log.Printf("DEBUG: Fetched code session: %#v\n", session)
+		log.Printf("DEBUG: Fetched code session: %#v\n", codeSession)
 
-		apiService, err := h.repo.GetApiServiceCID(r.Context(), session.ClientID)
+		apiService, err := h.repo.GetApiServiceCID(r.Context(), codeSession.ClientID)
 		if err != nil {
-			log.Printf("ERR: Could not find API service with client %s: %v\n", session.ClientID, err)
+			log.Printf("ERR: Could not find API service with client %s: %v\n", codeSession.ClientID, err)
 			web.Error(w, "service is not registered", http.StatusForbidden)
 			return
 		}
 
-		if session.ClientID != clientId {
+		if codeSession.ClientID != clientId {
 			web.Error(w, "invalid auth", http.StatusUnauthorized)
 			return
 		}
 
-		user, err := h.repo.FindUserId(r.Context(), uuid.MustParse(session.UserID))
+		user, err := h.repo.FindUserId(r.Context(), uuid.MustParse(codeSession.UserID))
 		if err != nil {
 			web.Error(w, "requested user not found", http.StatusNotFound)
 			return
 		}
 
-		tokens, err := h.signApiTokens(&user, &apiService, &session.Nonce)
+		id, access, refresh, err := h.signApiTokens(&user, &apiService, &codeSession.Nonce)
 		if err != nil {
 			log.Println("ERR: Failed to sign api tokens:", err)
 			web.Error(w, "failed to sign tokens", http.StatusInternalServerError)
 			return
 		}
 
+		log.Printf("DEBUG: Created api tokens: %v\n\n%v\n\n%v\n", id.ID.String(), access.ID.String(), refresh.ID.String())
+
+		userId, err := uuid.Parse(codeSession.UserID)
+		if err != nil {
+			log.Printf("ERR: Failed to parse user '%s' uuid: %v\n", codeSession.UserID, err)
+			web.Error(w, "failed to sign tokens", http.StatusInternalServerError)
+			return
+		}
+
+		ipAddr := util.GetClientIP(r)
+		ua := r.UserAgent()
+
+		session, err := h.repo.CreateServiceSession(r.Context(), repository.CreateServiceSessionParams{
+			ServiceID:      apiService.ID,
+			ClientID:       apiService.ClientID,
+			UserID:         &userId,
+			ExpiresAt:      &refresh.ExpiresAt,
+			LastActive:     nil,
+			IpAddress:      &ipAddr,
+			UserAgent:      &ua,
+			AccessTokenID:  &access.ID,
+			RefreshTokenID: &refresh.ID,
+		})
+		if err != nil {
+			log.Printf("ERR: Failed to create new service session: %v\n", err)
+			web.Error(w, "failed to create session", http.StatusInternalServerError)
+			return
+		}
+
+		log.Printf("INFO: Service session created for '%s' client_id with '%s' id\n", apiService.ClientID, session.ID.String())
+
 		type Response struct {
 			IdToken      string  `json:"id_token"`
 			TokenType    string  `json:"token_type"`
@@ -219,11 +233,11 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 		}
 
 		response := Response{
-			IdToken:      tokens.ID.Token,
+			IdToken:      id.Token,
 			TokenType:    "Bearer",
-			AccessToken:  tokens.Access.Token,
+			AccessToken:  access.Token,
-			RefreshToken: tokens.Refresh.Token,
+			RefreshToken: refresh.Token,
-			ExpiresIn:    tokens.Access.Expiration,
+			ExpiresIn:    math.Ceil(access.ExpiresAt.Sub(time.Now()).Seconds()),
 			Email:        user.Email,
 		}
 
@@ -256,6 +270,26 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		refreshJTI, err := uuid.Parse(claims.ID)
+		if err != nil {
+			log.Printf("ERR: Failed to parse refresh token JTI as uuid: %v\n", err)
+			web.Error(w, "failed to refresh token", http.StatusInternalServerError)
+			return
+		}
+
+		session, err := h.repo.GetServiceSessionByRefreshJTI(r.Context(), &refreshJTI)
+		if err != nil {
+			log.Printf("ERR: Failed to find session by '%s' refresh jti: %v\n", refreshJTI.String(), err)
+			web.Error(w, "session invalid", http.StatusUnauthorized)
+			return
+		}
+
+		if !session.IsActive {
+			log.Printf("INFO: Session with id '%s' is not active", session.ID.String())
+			web.Error(w, "session ended", http.StatusUnauthorized)
+			return
+		}
+
 		userID, err := uuid.Parse(claims.UserID)
 		if err != nil {
 			web.Error(w, "invalid user credentials in refresh token", http.StatusBadRequest)
@@ -269,7 +303,18 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
-		tokens, err := h.signApiTokens(&user, &apiService, nil)
+		id, access, refresh, err := h.signApiTokens(&user, &apiService, nil)
+
+		if err := h.repo.UpdateServiceSessionTokens(r.Context(), repository.UpdateServiceSessionTokensParams{
+			ID:             session.ID,
+			AccessTokenID:  &access.ID,
+			RefreshTokenID: &refresh.ID,
+			ExpiresAt:      &refresh.ExpiresAt,
+		}); err != nil {
+			log.Printf("ERR: Failed to update service session with '%s' id: %v\n", session.ID.String(), err)
+			web.Error(w, "failed to update session", http.StatusInternalServerError)
+			return
+		}
 
 		type Response struct {
 			IdToken      string  `json:"id_token"`
@@ -280,11 +325,11 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 		}
 
 		response := Response{
-			IdToken:      tokens.ID.Token,
+			IdToken:      id.Token,
 			TokenType:    "Bearer",
-			AccessToken:  tokens.Access.Token,
+			AccessToken:  access.Token,
-			RefreshToken: tokens.Refresh.Token,
+			RefreshToken: refresh.Token,
-			ExpiresIn:    tokens.Access.Expiration,
+			ExpiresIn:    math.Ceil(access.ExpiresAt.Sub(time.Now()).Seconds()),
 		}
 
 		log.Printf("DEBUG: refresh - sending following response: %#v\n", response)

internal/repository/service_sessions.sql.go

@@ -20,7 +20,7 @@ INSERT INTO service_sessions (
 ) VALUES (
     $1, $2, $3, NOW(), $4, $5,
     $6, $7, $8, $9,
-    TRUE, $8, $9
+    TRUE, $10, $11
 )
 RETURNING id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims
 `
@@ -35,6 +35,8 @@ type CreateServiceSessionParams struct {
 	UserAgent      *string    `json:"user_agent"`
 	AccessTokenID  *uuid.UUID `json:"access_token_id"`
 	RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
+	Scope          *string    `json:"scope"`
+	Claims         []byte     `json:"claims"`
 }
 
 func (q *Queries) CreateServiceSession(ctx context.Context, arg CreateServiceSessionParams) (ServiceSession, error) {
@@ -48,6 +50,8 @@ func (q *Queries) CreateServiceSession(ctx context.Context, arg CreateServiceSes
 		arg.UserAgent,
 		arg.AccessTokenID,
 		arg.RefreshTokenID,
+		arg.Scope,
+		arg.Claims,
 	)
 	var i ServiceSession
 	err := row.Scan(
@@ -102,7 +106,6 @@ func (q *Queries) GetServiceSessionByAccessJTI(ctx context.Context, accessTokenI
 const getServiceSessionByRefreshJTI = `-- name: GetServiceSessionByRefreshJTI :one
 SELECT id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims FROM service_sessions
 WHERE refresh_token_id = $1
-  AND is_active = TRUE
 `
 
 func (q *Queries) GetServiceSessionByRefreshJTI(ctx context.Context, refreshTokenID *uuid.UUID) (ServiceSession, error) {
@@ -210,6 +213,17 @@ func (q *Queries) GetServiceSessions(ctx context.Context, arg GetServiceSessions
 	return items, nil
 }
 
+const getServiceSessionsCount = `-- name: GetServiceSessionsCount :one
+SELECT COUNT(*) FROM service_sessions
+`
+
+func (q *Queries) GetServiceSessionsCount(ctx context.Context) (int64, error) {
+	row := q.db.QueryRow(ctx, getServiceSessionsCount)
+	var count int64
+	err := row.Scan(&count)
+	return count, err
+}
+
 const listActiveServiceSessionsByClient = `-- name: ListActiveServiceSessionsByClient :many
 SELECT id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims FROM service_sessions
 WHERE client_id = $1
@@ -379,3 +393,27 @@ func (q *Queries) UpdateServiceSessionLastActive(ctx context.Context, id uuid.UU
 	_, err := q.db.Exec(ctx, updateServiceSessionLastActive, id)
 	return err
 }
+
+const updateServiceSessionTokens = `-- name: UpdateServiceSessionTokens :exec
+UPDATE service_sessions
+SET access_token_id = $2, refresh_token_id = $3, expires_at = $4
+WHERE id = $1
+  AND is_active = TRUE
+`
+
+type UpdateServiceSessionTokensParams struct {
+	ID             uuid.UUID  `json:"id"`
+	AccessTokenID  *uuid.UUID `json:"access_token_id"`
+	RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
+	ExpiresAt      *time.Time `json:"expires_at"`
+}
+
+func (q *Queries) UpdateServiceSessionTokens(ctx context.Context, arg UpdateServiceSessionTokensParams) error {
+	_, err := q.db.Exec(ctx, updateServiceSessionTokens,
+		arg.ID,
+		arg.AccessTokenID,
+		arg.RefreshTokenID,
+		arg.ExpiresAt,
+	)
+	return err
+}

internal/repository/user_sessions.sql.go

@@ -98,7 +98,6 @@ func (q *Queries) GetUserSessionByAccessJTI(ctx context.Context, accessTokenID *
 const getUserSessionByRefreshJTI = `-- name: GetUserSessionByRefreshJTI :one
 SELECT id, user_id, session_type, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, device_info, is_active, revoked_at FROM user_sessions
 WHERE refresh_token_id = $1
-  AND is_active = TRUE
 `
 
 func (q *Queries) GetUserSessionByRefreshJTI(ctx context.Context, refreshTokenID *uuid.UUID) (UserSession, error) {
@@ -188,6 +187,17 @@ func (q *Queries) GetUserSessions(ctx context.Context, arg GetUserSessionsParams
 	return items, nil
 }
 
+const getUserSessionsCount = `-- name: GetUserSessionsCount :one
+SELECT COUNT(*) FROM user_sessions
+`
+
+func (q *Queries) GetUserSessionsCount(ctx context.Context) (int64, error) {
+	row := q.db.QueryRow(ctx, getUserSessionsCount)
+	var count int64
+	err := row.Scan(&count)
+	return count, err
+}
+
 const listActiveUserSessions = `-- name: ListActiveUserSessions :many
 SELECT id, user_id, session_type, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, device_info, is_active, revoked_at FROM user_sessions
 WHERE user_id = $1

internal/types/token.go

@@ -0,0 +1,21 @@
+package types
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type SignedToken struct {
+	Token     string
+	ExpiresAt time.Time
+	ID        uuid.UUID
+}
+
+func NewSignedToken(token string, expiresAt time.Time, jti uuid.UUID) *SignedToken {
+	return &SignedToken{
+		Token:     token,
+		ExpiresAt: expiresAt,
+		ID:        jti,
+	}
+}

internal/user/routes.go

@@ -38,7 +38,7 @@ func NewUserHandler(repo *repository.Queries, minio *storage.FileStorage, cfg *c
 
 func (h *UserHandler) RegisterRoutes(api chi.Router) {
 	api.Group(func(protected chi.Router) {
-		authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
+		authMiddleware := imiddleware.NewAuthMiddleware(h.cfg, h.repo)
 		protected.Use(authMiddleware.Runner)
 
 		protected.Put("/avatar", h.uploadAvatar)

queries/service_sessions.sql

@@ -6,7 +6,7 @@ INSERT INTO service_sessions (
 ) VALUES (
     $1, $2, $3, NOW(), $4, $5,
     $6, $7, $8, $9,
-    TRUE, $8, $9
+    TRUE, $10, $11
 )
 RETURNING *;
 
@@ -31,8 +31,7 @@ WHERE access_token_id = $1
 
 -- name: GetServiceSessionByRefreshJTI :one
 SELECT * FROM service_sessions
-WHERE refresh_token_id = $1
+WHERE refresh_token_id = $1;
-  AND is_active = TRUE;
 
 -- name: RevokeServiceSession :exec
 UPDATE service_sessions
@@ -47,6 +46,12 @@ SET last_active = NOW()
 WHERE id = $1
   AND is_active = TRUE;
 
+-- name: UpdateServiceSessionTokens :exec
+UPDATE service_sessions
+SET access_token_id = $2, refresh_token_id = $3, expires_at = $4
+WHERE id = $1
+  AND is_active = TRUE;
+
 -- name: ListAllServiceSessions :many
 SELECT * FROM service_sessions
 ORDER BY issued_at DESC
@@ -59,3 +64,6 @@ JOIN api_services AS service ON service.id = session.service_id
 JOIN users AS u ON u.id = session.user_id
 ORDER BY session.issued_at DESC
 LIMIT $1 OFFSET $2;
+
+-- name: GetServiceSessionsCount :one
+SELECT COUNT(*) FROM service_sessions;

queries/user_sessions.sql

@@ -23,8 +23,7 @@ WHERE access_token_id = $1
 
 -- name: GetUserSessionByRefreshJTI :one
 SELECT * FROM user_sessions
-WHERE refresh_token_id = $1
+WHERE refresh_token_id = $1;
-  AND is_active = TRUE;
 
 -- name: RevokeUserSession :exec
 UPDATE user_sessions
@@ -56,3 +55,6 @@ FROM user_sessions AS session
 JOIN users AS u ON u.id = session.user_id
 ORDER BY session.issued_at DESC
 LIMIT $1 OFFSET $2;
+
+-- name: GetUserSessionsCount :one
+SELECT COUNT(*) FROM user_sessions;

web/src/App.tsx

@@ -25,7 +25,8 @@ import VerifyEmailPage from "./pages/Verify/Email";
 import VerifyEmailOtpPage from "./pages/Verify/Email/OTP";
 import VerifyAvatarPage from "./pages/Verify/Avatar";
 import VerifyReviewPage from "./pages/Verify/Review";
-import AdminSessionsPage from "./pages/Admin/UserSessions";
+import AdminUserSessionsPage from "./pages/Admin/UserSessions";
+import AdminServiceSessionsPage from "./pages/Admin/ServiceSessions";
 
 const router = createBrowserRouter([
   {
@@ -84,7 +85,13 @@ const router = createBrowserRouter([
               },
               {
                 path: "user-sessions",
-                children: [{ index: true, element: <AdminSessionsPage /> }],
+                children: [{ index: true, element: <AdminUserSessionsPage /> }],
+              },
+              {
+                path: "service-sessions",
+                children: [
+                  { index: true, element: <AdminServiceSessionsPage /> },
+                ],
               },
             ],
           },

web/src/api/admin/sessions.ts

@@ -2,11 +2,15 @@ import type { ServiceSession, UserSession } from "@/types";
 import { axios, handleApiError } from "..";
 
 export interface FetchUserSessionsRequest {
-  limit: number;
+  page: number;
-  offset: number;
+  size: number;
 }
 
-export type FetchUserSessionsResponse = UserSession[];
+export interface FetchUserSessionsResponse {
+  items: UserSession[];
+  page: number;
+  total_pages: number;
+}
 
 export const adminGetUserSessionsApi = async (
   req: FetchUserSessionsRequest,
@@ -24,12 +28,27 @@ export const adminGetUserSessionsApi = async (
   return response.data;
 };
 
+export const adminRevokeUserSessionApi = async (
+  sessionId: string,
+): Promise<void> => {
+  const response = await axios.patch<FetchServiceSessionsResponse>(
+    `/api/v1/admin/user-sessions/revoke/${sessionId}`,
+  );
+
+  if (response.status !== 200 && response.status !== 201)
+    throw await handleApiError(response);
+};
+
 export interface FetchServiceSessionsRequest {
-  limit: number;
+  page: number;
-  offset: number;
+  size: number;
 }
 
-export type FetchServiceSessionsResponse = ServiceSession[];
+export interface FetchServiceSessionsResponse {
+  items: ServiceSession[];
+  page: number;
+  total_pages: number;
+}
 
 export const adminGetServiceSessionsApi = async (
   req: FetchServiceSessionsRequest,
@@ -46,3 +65,14 @@ export const adminGetServiceSessionsApi = async (
 
   return response.data;
 };
+
+export const adminRevokeServiceSessionApi = async (
+  sessionId: string,
+): Promise<void> => {
+  const response = await axios.patch<FetchServiceSessionsResponse>(
+    `/api/v1/admin/service-sessions/revoke/${sessionId}`,
+  );
+
+  if (response.status !== 200 && response.status !== 201)
+    throw await handleApiError(response);
+};

web/src/hooks/barItems.tsx

@@ -1,5 +1,5 @@
 import { useAuth } from "@/store/auth";
-import { Blocks, Home, User, UserLock, Users } from "lucide-react";
+import { Blocks, EarthLock, Home, User, UserLock, Users } from "lucide-react";
 import { useCallback, type ReactNode } from "react";
 import { useLocation } from "react-router";
 
@@ -87,6 +87,12 @@ export const useBarItems = (): [Item[], (item: Item) => boolean] => {
               tab: "admin.user-sessions",
               pathname: "/admin/user-sessions",
             },
+            {
+              icon: <EarthLock />,
+              title: "Service Sessions",
+              tab: "admin.service-sessions",
+              pathname: "/admin/service-sessions",
+            },
           ]
         : []),
     ],

web/src/pages/Admin/ApiServices/Create/index.tsx

@@ -5,7 +5,7 @@ import ApiServiceCredentialsModal from "@/feature/ApiServiceCredentialsModal";
 import { useApiServices } from "@/store/admin/apiServices";
 import { useCallback, type FC } from "react";
 import { useForm } from "react-hook-form";
-import { Link, useNavigate } from "react-router";
+import { Link } from "react-router";
 
 interface FormData {
   name: string;
@@ -32,12 +32,10 @@ const ApiServiceCreatePage: FC = () => {
 
   const credentials = useApiServices((state) => state.createdCredentials);
 
-  const navigate = useNavigate();
-
   const onSubmit = useCallback(
     async (data: FormData) => {
       console.log("Form submitted:", data);
-      const success = await createApiService({
+      await createApiService({
         name: data.name,
         description: data.description ?? "",
         redirect_uris: data.redirectUris.trim().split("\n"),
@@ -47,11 +45,11 @@ const ApiServiceCreatePage: FC = () => {
           : ["authorization_code"],
         is_active: data.enabled,
       });
-      if (success) {
+      // if (success) {
-        navigate("/admin/api-services");
+      //   navigate("/admin/api-services");
-      }
+      // }
     },
-    [createApiService, navigate],
+    [createApiService],
   );
 
   return (

web/src/pages/Admin/ServiceSessions/index.tsx

@@ -0,0 +1,214 @@
+import Breadcrumbs from "@/components/ui/breadcrumbs";
+import { Button } from "@/components/ui/button";
+import Avatar from "@/feature/Avatar";
+import { Ban } from "lucide-react";
+import { useCallback, useEffect, type FC } from "react";
+import { Link } from "react-router";
+import moment from "moment";
+import Pagination from "@/components/ui/pagination";
+import { useAuth } from "@/store/auth";
+import { useServiceSessions } from "@/store/admin/serviceSessions";
+
+const AdminServiceSessionsPage: FC = () => {
+  const loading = useServiceSessions((s) => s.loading);
+  const sessions = useServiceSessions((s) => s.items);
+
+  const page = useServiceSessions((s) => s.page);
+  const totalPages = useServiceSessions((s) => s.totalPages);
+
+  const fetchSessions = useServiceSessions((s) => s.fetch);
+  const revokeSession = useServiceSessions((s) => s.revoke);
+
+  const revokingId = useServiceSessions((s) => s.revokingId);
+
+  const profile = useAuth((s) => s.profile);
+
+  const handleRevokeSession = useCallback(
+    (id: string) => {
+      revokeSession(id);
+    },
+    [revokeSession],
+  );
+
+  useEffect(() => {
+    fetchSessions(1);
+  }, [fetchSessions]);
+
+  return (
+    <div className="relative flex flex-col items-stretch w-full">
+      <div className="p-4">
+        <Breadcrumbs
+          className="pb-2"
+          items={[
+            {
+              href: "/admin",
+              label: "Admin",
+            },
+            {
+              label: "Service Sessions",
+            },
+          ]}
+        />
+      </div>
+      <div className="p-4 flex flex-row items-center justify-between">
+        <p className="text-gray-800 dark:text-gray-300">Search...</p>
+        {/* TODO: Filters */}
+      </div>
+
+      <div className="flex-1 overflow-x-auto">
+        <table className="relative min-w-full border-l-0 border border-gray-300 dark:border-gray-700 border-collapse divide-y divide-gray-200 dark:divide-gray-800">
+          {loading && (
+            <div className="absolute inset-0 z-10 flex items-center justify-center bg-white/60 dark:bg-gray-900/60 backdrop-blur-sm">
+              <div className="text-gray-800 dark:text-gray-200 font-medium">
+                Loading...
+              </div>
+            </div>
+          )}
+
+          <thead className="bg-black/5 dark:bg-white/5 text-nowrap">
+            <tr>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Service
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                User + IP
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Status
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Issued At
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Expires At
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Last Active
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Revoked At
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Actions
+              </th>
+            </tr>
+          </thead>
+          <tbody className="divide-y divide-gray-200 dark:divide-gray-700">
+            {!loading && sessions.length === 0 ? (
+              <tr>
+                <td
+                  colSpan={5}
+                  className="px-6 py-12 text-center text-gray-500 dark:text-gray-400"
+                >
+                  No sessions found.
+                </td>
+              </tr>
+            ) : (
+              sessions.map((session) => (
+                <tr
+                  key={session.id}
+                  className="hover:bg-gray-50 dark:hover:bg-gray-800"
+                >
+                  <td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
+                    {/* <SessionSource deviceInfo={session.} /> */}
+                    {typeof session.api_service?.icon_url === "string" && (
+                      <Avatar
+                        avatarId={session.api_service.icon_url}
+                        className="w-7 h-7 min-w-7"
+                      />
+                    )}
+                    <Link to={`/admin/api-services/view/${session.service_id}`}>
+                      <p className="cursor-pointer text-blue-500 text-nowrap">
+                        {session.api_service?.name ?? session.client_id}
+                      </p>
+                    </Link>
+                  </td>
+
+                  <td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
+                    <div className="flex flex-col items-stretch gap-2 justify-start">
+                      <div className="flex flex-row items-center gap-2 justify-start">
+                        {typeof session.user?.profile_picture === "string" && (
+                          <Avatar
+                            avatarId={session.user.profile_picture}
+                            className="w-7 h-7 min-w-7"
+                          />
+                        )}
+
+                        <div className="flex flex-col items-stretch justify-center">
+                          <Link to={`/admin/users/view/${session.user_id}`}>
+                            <p className="cursor-pointer text-blue-500 text-nowrap">
+                              {session.user?.full_name ?? ""}{" "}
+                              {session.user_id === profile?.id ? "(You)" : ""}
+                            </p>
+                          </Link>
+                          <p className="opacity-75">
+                            {session.ip_address ?? "No IP available"}
+                          </p>
+                        </div>
+                      </div>
+                    </div>
+                  </td>
+                  <td className="px-5 py-3 text-sm border border-gray-300 dark:border-gray-700">
+                    <span
+                      className={`inline-block px-2 py-1 text-xs rounded-full font-semibold ${
+                        !session.is_active ||
+                        (session.expires_at &&
+                          moment(session.expires_at).isSameOrBefore(
+                            moment(new Date()),
+                          ))
+                          ? "bg-red-100 text-red-800 dark:bg-red-900 dark:text-red-300"
+                          : "bg-green-100 text-green-800 dark:bg-green-900 dark:text-green-300"
+                      }`}
+                    >
+                      {session.is_active ? "Active" : "Inactive"}
+                      {moment(session.expires_at).isSameOrBefore(
+                        moment(new Date()),
+                      ) && " (Expired)"}
+                    </span>
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                    {moment(session.issued_at).format("LLLL")}
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                    {session.expires_at
+                      ? moment(session.expires_at).format("LLLL")
+                      : "never"}
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                    {session.last_active
+                      ? moment(session.last_active).format("LLLL")
+                      : "never"}
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                    {session.revoked_at
+                      ? new Date(session.revoked_at).toLocaleString()
+                      : "never"}
+                  </td>
+                  <td>
+                    <div className="flex flex-row items-center justify-center gap-2">
+                      <Button
+                        variant="contained"
+                        className="bg-red-500 hover:bg-red-600 !px-1.5 !py-1.5"
+                        onClick={() => handleRevokeSession(session.id)}
+                        disabled={revokingId === session.id}
+                      >
+                        <Ban size={18} />
+                      </Button>
+                    </div>
+                  </td>
+                </tr>
+              ))
+            )}
+          </tbody>
+        </table>
+      </div>
+      <Pagination
+        currentPage={page}
+        onPageChange={(newPage) => fetchSessions(newPage)}
+        totalPages={totalPages}
+      />
+    </div>
+  );
+};
+
+export default AdminServiceSessionsPage;

web/src/pages/Admin/UserSessions/index.tsx

@@ -1,13 +1,14 @@
-import { adminGetUserSessionsApi } from "@/api/admin/sessions";
 import Breadcrumbs from "@/components/ui/breadcrumbs";
 import { Button } from "@/components/ui/button";
 import Avatar from "@/feature/Avatar";
-import type { DeviceInfo, UserSession } from "@/types";
+import type { DeviceInfo } from "@/types";
 import { Ban } from "lucide-react";
-import { useEffect, useMemo, useState, type FC } from "react";
+import { useCallback, useEffect, useMemo, type FC } from "react";
 import { Link } from "react-router";
 import moment from "moment";
 import Pagination from "@/components/ui/pagination";
+import { useUserSessions } from "@/store/admin/userSessions";
+import { useAuth } from "@/store/auth";
 
 const SessionSource: FC<{ deviceInfo: string }> = ({ deviceInfo }) => {
   const parsed = useMemo<DeviceInfo>(
@@ -22,21 +23,30 @@ const SessionSource: FC<{ deviceInfo: string }> = ({ deviceInfo }) => {
   );
 };
 
-const AdminSessionsPage: FC = () => {
+const AdminUserSessionsPage: FC = () => {
-  const loading = false;
+  const loading = useUserSessions((s) => s.loading);
-  const [sessions, setSessions] = useState<UserSession[]>([]);
+  const sessions = useUserSessions((s) => s.items);
+
+  const page = useUserSessions((s) => s.page);
+  const totalPages = useUserSessions((s) => s.totalPages);
+
+  const fetchSessions = useUserSessions((s) => s.fetch);
+  const revokeSession = useUserSessions((s) => s.revoke);
+
+  const revokingId = useUserSessions((s) => s.revokingId);
+
+  const profile = useAuth((s) => s.profile);
+
+  const handleRevokeSession = useCallback(
+    (id: string) => {
+      revokeSession(id);
+    },
+    [revokeSession],
+  );
 
   useEffect(() => {
-    adminGetUserSessionsApi({
+    fetchSessions(1);
-      limit: 10,
+  }, [fetchSessions]);
-      offset: 0,
-    }).then((res) => {
-      console.log("get sessions response:", res);
-      if (Array.isArray(res)) {
-        return setSessions(res);
-      }
-    });
-  }, []);
 
   return (
     <div className="relative flex flex-col items-stretch w-full">
@@ -113,12 +123,7 @@ const AdminSessionsPage: FC = () => {
                   key={session.id}
                   className="hover:bg-gray-50 dark:hover:bg-gray-800"
                 >
-                  {/* <td className="px-6 py-4 text-sm font-medium text-blue-600 border border-gray-300 dark:border-gray-700">
+                  <td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
-                    <span className="inline-block px-2 py-1 text-xs rounded-full font-semibold bg-green-100 text-green-800 dark:bg-green-900 dark:text-green-300">
-                      {sessionsType}
-                    </span>
-                  </td> */}
-                  <td className="px-6 py-4 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
                     <div className="flex flex-row items-center gap-2 justify-start">
                       {typeof session.user?.profile_picture === "string" && (
                         <Avatar
@@ -126,17 +131,19 @@ const AdminSessionsPage: FC = () => {
                           className="w-7 h-7 min-w-7"
                         />
                       )}
-                      <Link to={`/admin/users/${session.user_id}`}>
+
-                        <p className="cursor-pointer text-blue-500">
+                      <Link to={`/admin/users/view/${session.user_id}`}>
-                          {session.user?.full_name ?? ""}
+                        <p className="cursor-pointer text-blue-500 text-nowrap">
+                          {session.user?.full_name ?? ""}{" "}
+                          {session.user_id === profile?.id ? "(You)" : ""}
                         </p>
                       </Link>
                     </div>
                   </td>
-                  <td className="px-6 py-4 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
+                  <td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
                     <SessionSource deviceInfo={session.device_info} />
                   </td>
-                  <td className="px-6 py-4 text-sm border border-gray-300 dark:border-gray-700">
+                  <td className="px-5 py-3 text-sm border border-gray-300 dark:border-gray-700">
                     <span
                       className={`inline-block px-2 py-1 text-xs rounded-full font-semibold ${
                         !session.is_active ||
@@ -154,20 +161,20 @@ const AdminSessionsPage: FC = () => {
                       ) && " (Expired)"}
                     </span>
                   </td>
-                  <td className="px-6 py-4 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
                     {moment(session.issued_at).format("LLLL")}
                   </td>
-                  <td className="px-6 py-4 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
                     {session.expires_at
                       ? moment(session.expires_at).format("LLLL")
                       : "never"}
                   </td>
-                  <td className="px-6 py-4 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
                     {session.last_active
                       ? moment(session.last_active).format("LLLL")
                       : "never"}
                   </td>
-                  <td className="px-6 py-4 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
                     {session.revoked_at
                       ? new Date(session.revoked_at).toLocaleString()
                       : "never"}
@@ -177,6 +184,8 @@ const AdminSessionsPage: FC = () => {
                       <Button
                         variant="contained"
                         className="bg-red-500 hover:bg-red-600 !px-1.5 !py-1.5"
+                        onClick={() => handleRevokeSession(session.id)}
+                        disabled={revokingId === session.id}
                       >
                         <Ban size={18} />
                       </Button>
@@ -187,11 +196,14 @@ const AdminSessionsPage: FC = () => {
             )}
           </tbody>
         </table>
-
-        <Pagination currentPage={1} onPageChange={console.log} totalPages={2} />
       </div>
+      <Pagination
+        currentPage={page}
+        onPageChange={(newPage) => fetchSessions(newPage)}
+        totalPages={totalPages}
+      />
     </div>
   );
 };
 
-export default AdminSessionsPage;
+export default AdminUserSessionsPage;

web/src/pages/Login/index.tsx

@@ -62,8 +62,9 @@ export default function LoginPage() {
       } catch (err: any) {
         console.log(err);
         setError(
-          "Failed to create account. " +
+          err.response?.data?.error ??
-            (err.message ?? "Unexpected error happened"),
+            err.message ??
+            "Unexpected error happened",
         );
       } finally {
         setLoading(false);

web/src/store/admin/apiServices.ts

@@ -22,7 +22,7 @@ interface IApiServicesState {
 
   fetch: () => Promise<void>;
   fetchSingle: (id: string) => Promise<void>;
-  create: (req: CreateApiServiceRequest) => Promise<bool>;
+  create: (req: CreateApiServiceRequest) => Promise<boolean>;
   resetCredentials: () => void;
 
   toggling: boolean;

web/src/store/admin/serviceSessions.ts

@@ -0,0 +1,59 @@
+import {
+  adminGetServiceSessionsApi,
+  adminRevokeServiceSessionApi,
+} from "@/api/admin/sessions";
+import type { ServiceSession } from "@/types";
+import { create } from "zustand";
+
+export const ADMIN_SERVICE_SESSIONS_PAGE_SIZE = 10;
+
+export interface IServiceSessionsState {
+  items: ServiceSession[];
+  totalPages: number;
+  page: number;
+
+  loading: boolean;
+
+  revokingId: string | null;
+
+  fetch: (page: number) => Promise<void>;
+  revoke: (id: string) => Promise<void>;
+}
+
+export const useServiceSessions = create<IServiceSessionsState>((set, get) => ({
+  items: [],
+  totalPages: 0,
+  page: 1,
+  loading: false,
+  revokingId: null,
+
+  fetch: async (page) => {
+    set({ loading: true, page });
+
+    try {
+      const response = await adminGetServiceSessionsApi({
+        page,
+        size: ADMIN_SERVICE_SESSIONS_PAGE_SIZE,
+      });
+      set({ items: response.items, totalPages: response.total_pages });
+    } catch (err) {
+      console.log("ERR: Failed to fetch admin service sessions:", err);
+    } finally {
+      set({ loading: false });
+    }
+  },
+
+  revoke: async (id) => {
+    set({ revokingId: id });
+
+    try {
+      await adminRevokeServiceSessionApi(id);
+    } catch (err) {
+      console.log("ERR: Failed to revoke service sessions:", err);
+    } finally {
+      set({ revokingId: null });
+      const { fetch, page } = get();
+      await fetch(page);
+    }
+  },
+}));

web/src/store/admin/userSessions.ts

@@ -0,0 +1,59 @@
+import {
+  adminGetUserSessionsApi,
+  adminRevokeUserSessionApi,
+} from "@/api/admin/sessions";
+import type { UserSession } from "@/types";
+import { create } from "zustand";
+
+export const ADMIN_USER_SESSIONS_PAGE_SIZE = 10;
+
+export interface IUserSessionsState {
+  items: UserSession[];
+  totalPages: number;
+  page: number;
+
+  loading: boolean;
+
+  revokingId: string | null;
+
+  fetch: (page: number) => Promise<void>;
+  revoke: (id: string) => Promise<void>;
+}
+
+export const useUserSessions = create<IUserSessionsState>((set, get) => ({
+  items: [],
+  totalPages: 0,
+  page: 1,
+  loading: false,
+  revokingId: null,
+
+  fetch: async (page) => {
+    set({ loading: true, page });
+
+    try {
+      const response = await adminGetUserSessionsApi({
+        page,
+        size: ADMIN_USER_SESSIONS_PAGE_SIZE,
+      });
+      set({ items: response.items, totalPages: response.total_pages });
+    } catch (err) {
+      console.log("ERR: Failed to fetch admin user sessions:", err);
+    } finally {
+      set({ loading: false });
+    }
+  },
+
+  revoke: async (id) => {
+    set({ revokingId: id });
+
+    try {
+      await adminRevokeUserSessionApi(id);
+    } catch (err) {
+      console.log("ERR: Failed to revoke user sessions:", err);
+    } finally {
+      set({ revokingId: null });
+      const { fetch, page } = get();
+      await fetch(page);
+    }
+  },
+}));