Merge pull request 'sessions' (#2) from sessions into main

Reviewed-on: #2

.gitignore

@@ -27,6 +27,7 @@ go.work.sum
 
 # env file
 .env
+.env.remote
 
 # key files
 *.pem

go.mod

@@ -11,6 +11,7 @@ require (
 )
 
 require (
+	github.com/avct/uasurfer v0.0.0-20250506104815-f2613aa2d406 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect

go.sum

@@ -1,3 +1,5 @@
+github.com/avct/uasurfer v0.0.0-20250506104815-f2613aa2d406 h1:5/KfwL9TS8yNtUSunutqifcSC8rdX9PNdvbSsw/X/lQ=
+github.com/avct/uasurfer v0.0.0-20250506104815-f2613aa2d406/go.mod h1:s+GCtuP4kZNxh1WGoqdWI1+PbluBcycrMMWuKQ9e5Nk=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

internal/admin/apiservices.go

@@ -4,45 +4,15 @@ import (
 	"encoding/json"
 	"log"
 	"net/http"
-	"time"
 
 	"gitea.local/admin/hspguard/internal/repository"
+	"gitea.local/admin/hspguard/internal/types"
 	"gitea.local/admin/hspguard/internal/util"
 	"gitea.local/admin/hspguard/internal/web"
 	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
 )
 
-type ApiServiceDTO struct {
-	ID           uuid.UUID `json:"id"`
-	ClientID     string    `json:"client_id"`
-	Name         string    `json:"name"`
-	Description  *string   `json:"description"`
-	IconUrl      *string   `json:"icon_url"`
-	RedirectUris []string  `json:"redirect_uris"`
-	Scopes       []string  `json:"scopes"`
-	GrantTypes   []string  `json:"grant_types"`
-	CreatedAt    time.Time `json:"created_at"`
-	UpdatedAt    time.Time `json:"updated_at"`
-	IsActive     bool      `json:"is_active"`
-}
-
-func NewApiServiceDTO(service repository.ApiService) ApiServiceDTO {
-	return ApiServiceDTO{
-		ID:           service.ID,
-		ClientID:     service.ClientID,
-		Name:         service.Name,
-		Description:  service.Description,
-		IconUrl:      service.IconUrl,
-		RedirectUris: service.RedirectUris,
-		Scopes:       service.Scopes,
-		GrantTypes:   service.GrantTypes,
-		CreatedAt:    service.CreatedAt,
-		UpdatedAt:    service.UpdatedAt,
-		IsActive:     service.IsActive,
-	}
-}
-
 func (h *AdminHandler) GetApiServices(w http.ResponseWriter, r *http.Request) {
 	services, err := h.repo.ListApiServices(r.Context())
 	if err != nil {
@@ -51,15 +21,15 @@ func (h *AdminHandler) GetApiServices(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	apiServices := make([]ApiServiceDTO, 0)
+	apiServices := make([]types.ApiServiceDTO, 0)
 
 	for _, service := range services {
-		apiServices = append(apiServices, NewApiServiceDTO(service))
+		apiServices = append(apiServices, types.NewApiServiceDTO(service))
 	}
 
 	type Response struct {
-		Items []ApiServiceDTO `json:"items"`
-		Count int             `json:"count"`
+		Items []types.ApiServiceDTO `json:"items"`
+		Count int                   `json:"count"`
 	}
 
 	encoder := json.NewEncoder(w)
@@ -146,7 +116,7 @@ func (h *AdminHandler) AddApiService(w http.ResponseWriter, r *http.Request) {
 	service.ClientSecret = clientSecret
 
 	type Response struct {
-		Service     ApiServiceDTO         `json:"service"`
+		Service     types.ApiServiceDTO   `json:"service"`
 		Credentials ApiServiceCredentials `json:"credentials"`
 	}
 
@@ -155,7 +125,7 @@ func (h *AdminHandler) AddApiService(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 
 	if err := encoder.Encode(Response{
-		Service: NewApiServiceDTO(service),
+		Service: types.NewApiServiceDTO(service),
 		Credentials: ApiServiceCredentials{
 			ClientId:     service.ClientID,
 			ClientSecret: service.ClientSecret,
@@ -183,7 +153,7 @@ func (h *AdminHandler) GetApiService(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Set("Content-Type", "application/json")
 
-	if err := encoder.Encode(NewApiServiceDTO(service)); err != nil {
+	if err := encoder.Encode(types.NewApiServiceDTO(service)); err != nil {
 		web.Error(w, "failed to encode response", http.StatusInternalServerError)
 	}
 }
@@ -201,7 +171,7 @@ func (h *AdminHandler) GetApiServiceCID(w http.ResponseWriter, r *http.Request)
 
 	w.Header().Set("Content-Type", "application/json")
 
-	if err := encoder.Encode(NewApiServiceDTO(service)); err != nil {
+	if err := encoder.Encode(types.NewApiServiceDTO(service)); err != nil {
 		web.Error(w, "failed to encode response", http.StatusInternalServerError)
 	}
 }
@@ -303,7 +273,7 @@ func (h *AdminHandler) UpdateApiService(w http.ResponseWriter, r *http.Request)
 
 	w.Header().Set("Content-Type", "application/json")
 
-	if err := encoder.Encode(NewApiServiceDTO(updated)); err != nil {
+	if err := encoder.Encode(types.NewApiServiceDTO(updated)); err != nil {
 		web.Error(w, "failed to send updated api service", http.StatusInternalServerError)
 	}
 }

internal/admin/routes.go

@@ -21,7 +21,7 @@ func New(repo *repository.Queries, cfg *config.AppConfig) *AdminHandler {
 
 func (h *AdminHandler) RegisterRoutes(router chi.Router) {
 	router.Route("/admin", func(r chi.Router) {
-		authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
+		authMiddleware := imiddleware.NewAuthMiddleware(h.cfg, h.repo)
 		adminMiddleware := imiddleware.NewAdminMiddleware(h.repo)
 		r.Use(authMiddleware.Runner, adminMiddleware.Runner)
 
@@ -35,6 +35,12 @@ func (h *AdminHandler) RegisterRoutes(router chi.Router) {
 		r.Get("/users", h.GetUsers)
 		r.Post("/users", h.CreateUser)
 		r.Get("/users/{id}", h.GetUser)
+
+		r.Get("/user-sessions", h.GetUserSessions)
+		r.Patch("/user-sessions/revoke/{id}", h.RevokeUserSession)
+
+		r.Get("/service-sessions", h.GetServiceSessions)
+		r.Patch("/service-sessions/revoke/{id}", h.RevokeUserSession)
 	})
 
 	router.Get("/api-services/client/{client_id}", h.GetApiServiceCID)

internal/admin/sessions.go

@@ -0,0 +1,182 @@
+package admin
+
+import (
+	"encoding/json"
+	"log"
+	"math"
+	"net/http"
+	"strconv"
+
+	"gitea.local/admin/hspguard/internal/repository"
+	"gitea.local/admin/hspguard/internal/types"
+	"gitea.local/admin/hspguard/internal/web"
+	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
+)
+
+type GetSessionsParams struct {
+	PageSize int `json:"size"`
+	Page     int `json:"page"`
+	// TODO: More filtering possibilities like onlyActive, expired, not-expired etc.
+}
+
+func (h *AdminHandler) GetUserSessions(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+
+	params := GetSessionsParams{}
+
+	if pageSize, err := strconv.Atoi(q.Get("size")); err == nil {
+		params.PageSize = pageSize
+	} else {
+		params.PageSize = 15
+	}
+
+	if page, err := strconv.Atoi(q.Get("page")); err == nil {
+		params.Page = page
+	} else {
+		web.Error(w, "page is required", http.StatusBadRequest)
+		return
+	}
+
+	sessions, err := h.repo.GetUserSessions(r.Context(), repository.GetUserSessionsParams{
+		Limit:  int32(params.PageSize),
+		Offset: int32(params.Page-1) * int32(params.PageSize),
+	})
+	if err != nil {
+		log.Println("ERR: Failed to read user sessions from db:", err)
+		web.Error(w, "failed to retrieve sessions", http.StatusInternalServerError)
+		return
+	}
+
+	totalSessions, err := h.repo.GetUserSessionsCount(r.Context())
+	if err != nil {
+		log.Println("ERR: Failed to get total count of user sessions:", err)
+		web.Error(w, "failed to retrieve sessions", http.StatusInternalServerError)
+		return
+	}
+
+	mapped := make([]*types.UserSessionDTO, 0)
+
+	for _, session := range sessions {
+		mapped = append(mapped, types.NewUserSessionDTO(&session))
+	}
+
+	type Response struct {
+		Items      []*types.UserSessionDTO `json:"items"`
+		Page       int                     `json:"page"`
+		TotalPages int                     `json:"total_pages"`
+	}
+
+	response := Response{
+		Items:      mapped,
+		Page:       params.Page,
+		TotalPages: int(math.Ceil(float64(totalSessions) / float64(params.PageSize))),
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := json.NewEncoder(w).Encode(response); err != nil {
+		log.Println("ERR: Failed to encode sessions in response:", err)
+		web.Error(w, "failed to encode sessions", http.StatusInternalServerError)
+		return
+	}
+}
+
+func (h *AdminHandler) RevokeUserSession(w http.ResponseWriter, r *http.Request) {
+	sessionId := chi.URLParam(r, "id")
+	parsed, err := uuid.Parse(sessionId)
+	if err != nil {
+		web.Error(w, "provided service id is not valid", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.repo.RevokeUserSession(r.Context(), parsed); err != nil {
+		log.Println("ERR: Failed to revoke user session:", err)
+		web.Error(w, "failed to revoke user session", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+
+	w.WriteHeader(http.StatusOK)
+	w.Write([]byte("{\"success\":true}"))
+}
+
+func (h *AdminHandler) GetServiceSessions(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+
+	params := GetSessionsParams{}
+
+	if pageSize, err := strconv.Atoi(q.Get("size")); err == nil {
+		params.PageSize = pageSize
+	} else {
+		params.PageSize = 15
+	}
+
+	if page, err := strconv.Atoi(q.Get("page")); err == nil {
+		params.Page = page
+	} else {
+		web.Error(w, "page is required", http.StatusBadRequest)
+		return
+	}
+
+	sessions, err := h.repo.GetServiceSessions(r.Context(), repository.GetServiceSessionsParams{
+		Limit:  int32(params.PageSize),
+		Offset: int32(params.Page-1) * int32(params.PageSize),
+	})
+	if err != nil {
+		log.Println("ERR: Failed to read api sessions from db:", err)
+		web.Error(w, "failed to retrieve sessions", http.StatusInternalServerError)
+		return
+	}
+
+	totalSessions, err := h.repo.GetServiceSessionsCount(r.Context())
+	if err != nil {
+		log.Println("ERR: Failed to get total count of service sessions:", err)
+		web.Error(w, "failed to retrieve sessions", http.StatusInternalServerError)
+		return
+	}
+
+	mapped := make([]*types.ServiceSessionDTO, 0)
+
+	for _, session := range sessions {
+		mapped = append(mapped, types.NewServiceSessionDTO(&session))
+	}
+
+	type Response struct {
+		Items      []*types.ServiceSessionDTO `json:"items"`
+		Page       int                        `json:"page"`
+		TotalPages int                        `json:"total_pages"`
+	}
+
+	response := Response{
+		Items:      mapped,
+		Page:       params.Page,
+		TotalPages: int(math.Ceil(float64(totalSessions) / float64(params.PageSize))),
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := json.NewEncoder(w).Encode(response); err != nil {
+		log.Println("ERR: Failed to encode sessions in response:", err)
+		web.Error(w, "failed to encode sessions", http.StatusInternalServerError)
+	}
+}
+
+func (h *AdminHandler) RevokeServiceSession(w http.ResponseWriter, r *http.Request) {
+	sessionId := chi.URLParam(r, "id")
+	parsed, err := uuid.Parse(sessionId)
+	if err != nil {
+		web.Error(w, "provided service id is not valid", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.repo.RevokeServiceSession(r.Context(), parsed); err != nil {
+		log.Println("ERR: Failed to revoke service session:", err)
+		web.Error(w, "failed to revoke service session", http.StatusInternalServerError)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+	w.Write([]byte("{\"success\":true}"))
+}

internal/auth/login.go

@@ -5,6 +5,7 @@ import (
 	"log"
 	"net/http"
 
+	"gitea.local/admin/hspguard/internal/repository"
 	"gitea.local/admin/hspguard/internal/util"
 	"gitea.local/admin/hspguard/internal/web"
 )
@@ -32,12 +33,14 @@ func (h *AuthHandler) login(w http.ResponseWriter, r *http.Request) {
 
 	user, err := h.repo.FindUserEmail(r.Context(), params.Email)
 	if err != nil {
-		web.Error(w, "user with provided email does not exists", http.StatusBadRequest)
+		log.Printf("DEBUG: No user found with '%s' email: %v\n", params.Email, err)
+		web.Error(w, "email or/and password are incorrect", http.StatusBadRequest)
 		return
 	}
 
 	if !util.VerifyPassword(params.Password, user.PasswordHash) {
-		web.Error(w, "username or/and password are incorrect", http.StatusBadRequest)
+		log.Printf("DEBUG: Incorrect password '%s' for '%s' email: %v\n", params.Password, params.Email, err)
+		web.Error(w, "email or/and password are incorrect", http.StatusBadRequest)
 		return
 	}
 
@@ -47,6 +50,29 @@ func (h *AuthHandler) login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	userAgent := r.UserAgent()
+
+	ipAddr := util.GetClientIP(r)
+	deviceInfo := util.BuildDeviceInfo(userAgent, ipAddr)
+
+	// Create User Session
+	session, err := h.repo.CreateUserSession(r.Context(), repository.CreateUserSessionParams{
+		UserID:         user.ID,
+		SessionType:    "user",
+		ExpiresAt:      &refresh.ExpiresAt,
+		LastActive:     nil,
+		IpAddress:      &ipAddr,
+		UserAgent:      &userAgent,
+		AccessTokenID:  &access.ID,
+		RefreshTokenID: &refresh.ID,
+		DeviceInfo:     deviceInfo,
+	})
+	if err != nil {
+		log.Printf("ERR: Failed to create user session after logging in: %v\n", err)
+	}
+
+	log.Printf("INFO: User session created for '%s' with '%s' id\n", user.Email, session.ID.String())
+
 	if err := h.repo.UpdateLastLogin(r.Context(), user.ID); err != nil {
 		web.Error(w, "failed to update user's last login", http.StatusInternalServerError)
 		return
@@ -68,8 +94,8 @@ func (h *AuthHandler) login(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 
 	if err := encoder.Encode(Response{
-		AccessToken:    access,
-		RefreshToken:   refresh,
+		AccessToken:    access.Token,
+		RefreshToken:   refresh.Token,
 		FullName:       user.FullName,
 		Email:          user.Email,
 		Id:             user.ID.String(),

internal/auth/refresh.go

@@ -3,10 +3,12 @@ package auth
 import (
 	"encoding/json"
 	"fmt"
+	"log"
 	"net/http"
 	"strings"
 	"time"
 
+	"gitea.local/admin/hspguard/internal/repository"
 	"gitea.local/admin/hspguard/internal/types"
 	"gitea.local/admin/hspguard/internal/util"
 	"gitea.local/admin/hspguard/internal/web"
@@ -64,6 +66,44 @@ func (h *AuthHandler) refreshToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	jti, err := uuid.Parse(userClaims.ID)
+	if session, err := h.repo.GetUserSessionByRefreshJTI(r.Context(), &jti); err != nil {
+		log.Printf("WARN: No existing user session found for user with '%s' email (jti: '%s'): %v\n", user.Email, userClaims.ID, err)
+
+		userAgent := r.UserAgent()
+
+		ipAddr := util.GetClientIP(r)
+		deviceInfo := util.BuildDeviceInfo(userAgent, ipAddr)
+
+		// Create User Session
+		session, err := h.repo.CreateUserSession(r.Context(), repository.CreateUserSessionParams{
+			UserID:         user.ID,
+			SessionType:    "user",
+			ExpiresAt:      &refresh.ExpiresAt,
+			LastActive:     nil,
+			IpAddress:      &ipAddr,
+			UserAgent:      &userAgent,
+			AccessTokenID:  &access.ID,
+			RefreshTokenID: &refresh.ID,
+			DeviceInfo:     deviceInfo,
+		})
+		if err != nil {
+			log.Printf("ERR: Failed to create user session after logging in: %v\n", err)
+		}
+
+		log.Printf("INFO: User session created for '%s' with '%s' id\n", user.Email, session.ID.String())
+	} else {
+		err := h.repo.UpdateSessionTokens(r.Context(), repository.UpdateSessionTokensParams{
+			ID:             session.ID,
+			AccessTokenID:  &access.ID,
+			RefreshTokenID: &refresh.ID,
+			ExpiresAt:      &refresh.ExpiresAt,
+		})
+		if err != nil {
+			log.Printf("ERR: Failed to update user session with '%s' id: %v\n", session.ID.String(), err)
+		}
+	}
+
 	type Response struct {
 		AccessToken  string `json:"access"`
 		RefreshToken string `json:"refresh"`
@@ -74,8 +114,8 @@ func (h *AuthHandler) refreshToken(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 
 	if err := encoder.Encode(Response{
-		AccessToken:  access,
-		RefreshToken: refresh,
+		AccessToken:  access.Token,
+		RefreshToken: refresh.Token,
 	}); err != nil {
 		web.Error(w, "failed to encode response", http.StatusInternalServerError)
 	}

internal/auth/routes.go

@@ -11,6 +11,7 @@ import (
 	"gitea.local/admin/hspguard/internal/util"
 	"github.com/go-chi/chi/v5"
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
 )
 
 type AuthHandler struct {
@@ -19,7 +20,10 @@ type AuthHandler struct {
 	cfg   *config.AppConfig
 }
 
-func (h *AuthHandler) signTokens(user *repository.User) (string, string, error) {
+func (h *AuthHandler) signTokens(user *repository.User) (*types.SignedToken, *types.SignedToken, error) {
+	accessExpiresAt := time.Now().Add(15 * time.Minute)
+	accessJTI := uuid.New()
+
 	accessClaims := types.UserClaims{
 		UserEmail: user.Email,
 		IsAdmin:   user.IsAdmin,
@@ -27,15 +31,19 @@ func (h *AuthHandler) signTokens(user *repository.User) (string, string, error)
 			Issuer:    h.cfg.Uri,
 			Subject:   user.ID.String(),
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
-			ExpiresAt: jwt.NewNumericDate(time.Now().Add(15 * time.Minute)),
+			ExpiresAt: jwt.NewNumericDate(accessExpiresAt),
+			ID:        accessJTI.String(),
 		},
 	}
 
 	accessToken, err := util.SignJwtToken(accessClaims, h.cfg.Jwt.PrivateKey)
 	if err != nil {
-		return "", "", err
+		return nil, nil, err
 	}
 
+	refreshExpiresAt := time.Now().Add(30 * 24 * time.Hour)
+	refreshJTI := uuid.New()
+
 	refreshClaims := types.UserClaims{
 		UserEmail: user.Email,
 		IsAdmin:   user.IsAdmin,
@@ -43,16 +51,17 @@ func (h *AuthHandler) signTokens(user *repository.User) (string, string, error)
 			Issuer:    h.cfg.Uri,
 			Subject:   user.ID.String(),
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
-			ExpiresAt: jwt.NewNumericDate(time.Now().Add(30 * 24 * time.Hour)),
+			ExpiresAt: jwt.NewNumericDate(refreshExpiresAt),
+			ID:        refreshJTI.String(),
 		},
 	}
 
 	refreshToken, err := util.SignJwtToken(refreshClaims, h.cfg.Jwt.PrivateKey)
 	if err != nil {
-		return "", "", err
+		return nil, nil, err
 	}
 
-	return accessToken, refreshToken, nil
+	return types.NewSignedToken(accessToken, accessExpiresAt, accessJTI), types.NewSignedToken(refreshToken, refreshExpiresAt, refreshJTI), nil
 }
 
 func NewAuthHandler(repo *repository.Queries, cache *cache.Client, cfg *config.AppConfig) *AuthHandler {
@@ -66,13 +75,14 @@ func NewAuthHandler(repo *repository.Queries, cache *cache.Client, cfg *config.A
 func (h *AuthHandler) RegisterRoutes(api chi.Router) {
 	api.Route("/auth", func(r chi.Router) {
 		r.Group(func(protected chi.Router) {
-			authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
+			authMiddleware := imiddleware.NewAuthMiddleware(h.cfg, h.repo)
 			protected.Use(authMiddleware.Runner)
 
 			protected.Get("/profile", h.getProfile)
 			protected.Post("/email", h.requestEmailOtp)
 			protected.Post("/email/otp", h.confirmOtp)
 			protected.Post("/verify", h.finishVerification)
+			protected.Post("/signout", h.signOut)
 		})
 
 		r.Post("/login", h.login)

internal/auth/signout.go

@@ -0,0 +1,40 @@
+package auth
+
+import (
+	"log"
+	"net/http"
+
+	"gitea.local/admin/hspguard/internal/util"
+	"github.com/google/uuid"
+)
+
+func (h *AuthHandler) signOut(w http.ResponseWriter, r *http.Request) {
+	defer func() {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("{\"status\": \"ok\"}"))
+	}()
+
+	jti, ok := util.GetRequestJTI(r.Context())
+	if !ok {
+		log.Println("WARN: No JTI found in request")
+		return
+	}
+
+	jtiId, err := uuid.Parse(jti)
+	if err != nil {
+		log.Printf("ERR: Failed to parse jti '%s' as v4 uuid: %v\n", jti, err)
+		return
+	}
+
+	session, err := h.repo.GetUserSessionByAccessJTI(r.Context(), &jtiId)
+	if err != nil {
+		log.Printf("WARN: Could not find session by jti id '%s': %v\n", jtiId.String(), err)
+		return
+	}
+
+	if err := h.repo.RevokeUserSession(r.Context(), session.ID); err != nil {
+		log.Printf("ERR: Failed to revoke session with '%s' id: %v\n", session.ID.String(), err)
+	} else {
+		log.Printf("INFO: Revoked session with jti = '%s' and session id = '%s'\n", jtiId.String(), session.ID.String())
+	}
+}

internal/middleware/auth.go

@@ -3,22 +3,27 @@ package middleware
 import (
 	"context"
 	"fmt"
+	"log"
 	"net/http"
 	"strings"
 
 	"gitea.local/admin/hspguard/internal/config"
+	"gitea.local/admin/hspguard/internal/repository"
 	"gitea.local/admin/hspguard/internal/types"
 	"gitea.local/admin/hspguard/internal/util"
 	"gitea.local/admin/hspguard/internal/web"
+	"github.com/google/uuid"
 )
 
 type AuthMiddleware struct {
-	cfg *config.AppConfig
+	cfg  *config.AppConfig
+	repo *repository.Queries
 }
 
-func NewAuthMiddleware(cfg *config.AppConfig) *AuthMiddleware {
+func NewAuthMiddleware(cfg *config.AppConfig, repo *repository.Queries) *AuthMiddleware {
 	return &AuthMiddleware{
 		cfg,
+		repo,
 	}
 }
 
@@ -45,7 +50,28 @@ func (m *AuthMiddleware) Runner(next http.Handler) http.Handler {
 			return
 		}
 
+		// TODO: redis caching
+		parsed, err := uuid.Parse(userClaims.ID)
+		if err != nil {
+			log.Printf("ERR: Failed to parse token JTI '%s': %v\n", userClaims.ID, err)
+			web.Error(w, "failed to get session", http.StatusUnauthorized)
+			return
+		}
+		session, err := m.repo.GetUserSessionByAccessJTI(r.Context(), &parsed)
+		if err != nil {
+			log.Printf("ERR: Failed to find session with '%s' JTI: %v\n", parsed.String(), err)
+			web.Error(w, "no session found", http.StatusUnauthorized)
+			return
+		}
+
+		if !session.IsActive {
+			log.Printf("INFO: Inactive session trying to authorize: %s\n", session.AccessTokenID)
+			web.Error(w, "no session found", http.StatusUnauthorized)
+			return
+		}
+
 		ctx := context.WithValue(r.Context(), types.UserIdKey, userClaims.Subject)
+		ctx = context.WithValue(ctx, types.JTIKey, userClaims.ID)
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }

internal/oauth/authorize.go

@@ -3,7 +3,6 @@ package oauth
 import (
 	"fmt"
 	"net/http"
-	"slices"
 	"strings"
 
 	"gitea.local/admin/hspguard/internal/web"
@@ -29,43 +28,14 @@ func (h *OAuthHandler) AuthorizeClient(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	client, err := h.repo.GetApiServiceCID(r.Context(), clientId)
-	if err != nil {
-		uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", redirectUri)
-		if state != "" {
-			uri += "&state=" + state
-		}
-		http.Redirect(w, r, uri, http.StatusFound)
-		return
-	}
+	scopes := strings.Split(strings.TrimSpace(r.URL.Query().Get("scope")), " ")
 
-	if !client.IsActive {
-		uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", redirectUri)
-		if state != "" {
-			uri += "&state=" + state
-		}
-		http.Redirect(w, r, uri, http.StatusFound)
-		return
-	}
-
-	scopes := strings.SplitSeq(strings.TrimSpace(r.URL.Query().Get("scope")), " ")
-
-	for scope := range scopes {
-		if !slices.Contains(client.Scopes, scope) {
-			uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", redirectUri, strings.ReplaceAll(scope, " ", "+"))
-			if state != "" {
-				uri += "&state=" + state
-			}
-			http.Redirect(w, r, uri, http.StatusFound)
-			return
-		}
-	}
-
-	if !slices.Contains(client.RedirectUris, redirectUri) {
-		uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", redirectUri)
-		if state != "" {
-			uri += "&state=" + state
-		}
+	if uri, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
+		ClientID:    clientId,
+		RedirectURI: &redirectUri,
+		State:       state,
+		Scopes:      &scopes,
+	}); err != nil {
 		http.Redirect(w, r, uri, http.StatusFound)
 		return
 	}

internal/oauth/client.go

@@ -0,0 +1,58 @@
+package oauth
+
+import (
+	"context"
+	"fmt"
+	"slices"
+	"strings"
+)
+
+type VerifyOAuthClientParams struct {
+	ClientID    string    `json:"client_id"`
+	RedirectURI *string   `json:"redirect_uri"`
+	State       string    `json:"state"`
+	Scopes      *[]string `json:"scopes"`
+}
+
+func (h *OAuthHandler) verifyOAuthClient(ctx context.Context, params *VerifyOAuthClientParams) (string, error) {
+	client, err := h.repo.GetApiServiceCID(ctx, params.ClientID)
+	if err != nil {
+		uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", *params.RedirectURI)
+		if params.State != "" {
+			uri += "&state=" + params.State
+		}
+		return uri, fmt.Errorf("target oauth service with client id '%s' is not registered", params.ClientID)
+	}
+
+	if !client.IsActive {
+		uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", *params.RedirectURI)
+		if params.State != "" {
+			uri += "&state=" + params.State
+		}
+		return uri, fmt.Errorf("target oauth service with client id '%s' is not available", client.ClientID)
+	}
+
+	if params.Scopes != nil {
+		for _, scope := range *params.Scopes {
+			if !slices.Contains(client.Scopes, scope) {
+				uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", *params.RedirectURI, strings.ReplaceAll(scope, " ", "+"))
+				if params.State != "" {
+					uri += "&state=" + params.State
+				}
+				return uri, fmt.Errorf("unallowed scope '%s' requested", scope)
+			}
+		}
+	}
+
+	if params.RedirectURI != nil {
+		if !slices.Contains(client.RedirectUris, *params.RedirectURI) {
+			uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", *params.RedirectURI)
+			if params.State != "" {
+				uri += "&state=" + params.State
+			}
+			return uri, fmt.Errorf("redirect uri '%s' is unallowed", *params.RedirectURI)
+		}
+	}
+
+	return "", nil
+}

internal/oauth/code.go

@@ -39,6 +39,16 @@ func (h *OAuthHandler) getAuthCode(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if _, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
+		ClientID:    req.ClientID,
+		RedirectURI: nil,
+		State:       "",
+		Scopes:      nil,
+	}); err != nil {
+		web.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
 	buf := make([]byte, 32)
 	_, err = rand.Read(buf)
 	if err != nil {

internal/oauth/routes.go

@@ -25,7 +25,7 @@ func NewOAuthHandler(repo *repository.Queries, cache *cache.Client, cfg *config.
 func (h *OAuthHandler) RegisterRoutes(router chi.Router) {
 	router.Route("/oauth", func(r chi.Router) {
 		r.Group(func(protected chi.Router) {
-			authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
+			authMiddleware := imiddleware.NewAuthMiddleware(h.cfg, h.repo)
 			protected.Use(authMiddleware.Runner)
 
 			protected.Post("/code", h.getAuthCode)

internal/oauth/token.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
+	"math"
 	"net/http"
 	"strings"
 	"time"
@@ -17,20 +18,10 @@ import (
 	"github.com/google/uuid"
 )
 
-type ApiToken struct {
-	Token      string
-	Expiration float64
-}
-
-type ApiTokens struct {
-	ID      ApiToken
-	Access  ApiToken
-	Refresh ApiToken
-}
-
-func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *repository.ApiService, nonce *string) (*ApiTokens, error) {
+func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *repository.ApiService, nonce *string) (*types.SignedToken, *types.SignedToken, *types.SignedToken, error) {
 	accessExpiresIn := 15 * time.Minute
 	accessExpiresAt := time.Now().Add(accessExpiresIn)
+	accessJTI := uuid.New()
 
 	accessClaims := types.ApiClaims{
 		Permissions: []string{},
@@ -40,12 +31,13 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
 			Audience:  jwt.ClaimStrings{apiService.ClientID},
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 			ExpiresAt: jwt.NewNumericDate(accessExpiresAt),
+			ID:        accessJTI.String(),
 		},
 	}
 
 	access, err := util.SignJwtToken(accessClaims, h.cfg.Jwt.PrivateKey)
 	if err != nil {
-		return nil, err
+		return nil, nil, nil, err
 	}
 
 	var roles = []string{"user"}
@@ -56,6 +48,7 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
 
 	idExpiresIn := 15 * time.Minute
 	idExpiresAt := time.Now().Add(idExpiresIn)
+	idJTI := uuid.New()
 
 	idClaims := types.IdTokenClaims{
 		Email:         user.Email,
@@ -70,16 +63,18 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
 			Audience:  jwt.ClaimStrings{apiService.ClientID},
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 			ExpiresAt: jwt.NewNumericDate(idExpiresAt),
+			ID:        idJTI.String(),
 		},
 	}
 
 	idToken, err := util.SignJwtToken(idClaims, h.cfg.Jwt.PrivateKey)
 	if err != nil {
-		return nil, err
+		return nil, nil, nil, err
 	}
 
 	refreshExpiresIn := 24 * time.Hour
 	refreshExpiresAt := time.Now().Add(refreshExpiresIn)
+	refreshJTI := uuid.New()
 
 	refreshClaims := types.ApiRefreshClaims{
 		UserID: user.ID.String(),
@@ -89,28 +84,16 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
 			Audience:  jwt.ClaimStrings{apiService.ClientID},
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 			ExpiresAt: jwt.NewNumericDate(refreshExpiresAt),
+			ID:        refreshJTI.String(),
 		},
 	}
 
 	refresh, err := util.SignJwtToken(refreshClaims, h.cfg.Jwt.PrivateKey)
 	if err != nil {
-		return nil, err
+		return nil, nil, nil, err
 	}
 
-	return &ApiTokens{
-		ID: ApiToken{
-			Token:      idToken,
-			Expiration: idExpiresIn.Seconds(),
-		},
-		Access: ApiToken{
-			Token:      access,
-			Expiration: accessExpiresIn.Seconds(),
-		},
-		Refresh: ApiToken{
-			Token:      refresh,
-			Expiration: refreshExpiresIn.Seconds(),
-		},
-	}, nil
+	return types.NewSignedToken(idToken, idExpiresAt, idJTI), types.NewSignedToken(access, accessExpiresAt, accessJTI), types.NewSignedToken(refresh, refreshExpiresAt, refreshJTI), nil
 }
 
 func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
@@ -152,50 +135,93 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 	}
 
 	grantType := r.FormValue("grant_type")
-	redirectUri := r.FormValue("redirect_uri")
 
-	log.Printf("Redirect URI is %s\n", redirectUri)
+	log.Println("DEBUG: Verifying target oauth client before proceeding...")
+
+	if _, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
+		ClientID:    clientId,
+		RedirectURI: nil,
+		State:       "",
+		Scopes:      nil,
+	}); err != nil {
+		web.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
 
 	switch grantType {
 	case "authorization_code":
+		redirectUri := r.FormValue("redirect_uri")
+		log.Printf("Redirect URI is %s\n", redirectUri)
+
 		code := r.FormValue("code")
 
 		fmt.Printf("Code received: %s\n", code)
 
-		session, err := h.cache.GetAuthCode(r.Context(), code)
+		codeSession, err := h.cache.GetAuthCode(r.Context(), code)
 		if err != nil {
 			log.Printf("ERR: Failed to find session under the code %s: %v\n", code, err)
 			web.Error(w, "no session found under this auth code", http.StatusNotFound)
 			return
 		}
 
-		log.Printf("DEBUG: Fetched code session: %#v\n", session)
+		log.Printf("DEBUG: Fetched code session: %#v\n", codeSession)
 
-		apiService, err := h.repo.GetApiServiceCID(r.Context(), session.ClientID)
+		apiService, err := h.repo.GetApiServiceCID(r.Context(), codeSession.ClientID)
 		if err != nil {
-			log.Printf("ERR: Could not find API service with client %s: %v\n", session.ClientID, err)
+			log.Printf("ERR: Could not find API service with client %s: %v\n", codeSession.ClientID, err)
 			web.Error(w, "service is not registered", http.StatusForbidden)
 			return
 		}
 
-		if session.ClientID != clientId {
+		if codeSession.ClientID != clientId {
 			web.Error(w, "invalid auth", http.StatusUnauthorized)
 			return
 		}
 
-		user, err := h.repo.FindUserId(r.Context(), uuid.MustParse(session.UserID))
+		user, err := h.repo.FindUserId(r.Context(), uuid.MustParse(codeSession.UserID))
 		if err != nil {
 			web.Error(w, "requested user not found", http.StatusNotFound)
 			return
 		}
 
-		tokens, err := h.signApiTokens(&user, &apiService, &session.Nonce)
+		id, access, refresh, err := h.signApiTokens(&user, &apiService, &codeSession.Nonce)
 		if err != nil {
 			log.Println("ERR: Failed to sign api tokens:", err)
 			web.Error(w, "failed to sign tokens", http.StatusInternalServerError)
 			return
 		}
 
+		log.Printf("DEBUG: Created api tokens: %v\n\n%v\n\n%v\n", id.ID.String(), access.ID.String(), refresh.ID.String())
+
+		userId, err := uuid.Parse(codeSession.UserID)
+		if err != nil {
+			log.Printf("ERR: Failed to parse user '%s' uuid: %v\n", codeSession.UserID, err)
+			web.Error(w, "failed to sign tokens", http.StatusInternalServerError)
+			return
+		}
+
+		ipAddr := util.GetClientIP(r)
+		ua := r.UserAgent()
+
+		session, err := h.repo.CreateServiceSession(r.Context(), repository.CreateServiceSessionParams{
+			ServiceID:      apiService.ID,
+			ClientID:       apiService.ClientID,
+			UserID:         &userId,
+			ExpiresAt:      &refresh.ExpiresAt,
+			LastActive:     nil,
+			IpAddress:      &ipAddr,
+			UserAgent:      &ua,
+			AccessTokenID:  &access.ID,
+			RefreshTokenID: &refresh.ID,
+		})
+		if err != nil {
+			log.Printf("ERR: Failed to create new service session: %v\n", err)
+			web.Error(w, "failed to create session", http.StatusInternalServerError)
+			return
+		}
+
+		log.Printf("INFO: Service session created for '%s' client_id with '%s' id\n", apiService.ClientID, session.ID.String())
+
 		type Response struct {
 			IdToken      string  `json:"id_token"`
 			TokenType    string  `json:"token_type"`
@@ -207,11 +233,11 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 		}
 
 		response := Response{
-			IdToken:      tokens.ID.Token,
+			IdToken:      id.Token,
 			TokenType:    "Bearer",
-			AccessToken:  tokens.Access.Token,
-			RefreshToken: tokens.Refresh.Token,
-			ExpiresIn:    tokens.Access.Expiration,
+			AccessToken:  access.Token,
+			RefreshToken: refresh.Token,
+			ExpiresIn:    math.Ceil(access.ExpiresAt.Sub(time.Now()).Seconds()),
 			Email:        user.Email,
 		}
 
@@ -244,6 +270,26 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		refreshJTI, err := uuid.Parse(claims.ID)
+		if err != nil {
+			log.Printf("ERR: Failed to parse refresh token JTI as uuid: %v\n", err)
+			web.Error(w, "failed to refresh token", http.StatusInternalServerError)
+			return
+		}
+
+		session, err := h.repo.GetServiceSessionByRefreshJTI(r.Context(), &refreshJTI)
+		if err != nil {
+			log.Printf("ERR: Failed to find session by '%s' refresh jti: %v\n", refreshJTI.String(), err)
+			web.Error(w, "session invalid", http.StatusUnauthorized)
+			return
+		}
+
+		if !session.IsActive {
+			log.Printf("INFO: Session with id '%s' is not active", session.ID.String())
+			web.Error(w, "session ended", http.StatusUnauthorized)
+			return
+		}
+
 		userID, err := uuid.Parse(claims.UserID)
 		if err != nil {
 			web.Error(w, "invalid user credentials in refresh token", http.StatusBadRequest)
@@ -257,7 +303,18 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
-		tokens, err := h.signApiTokens(&user, &apiService, nil)
+		id, access, refresh, err := h.signApiTokens(&user, &apiService, nil)
+
+		if err := h.repo.UpdateServiceSessionTokens(r.Context(), repository.UpdateServiceSessionTokensParams{
+			ID:             session.ID,
+			AccessTokenID:  &access.ID,
+			RefreshTokenID: &refresh.ID,
+			ExpiresAt:      &refresh.ExpiresAt,
+		}); err != nil {
+			log.Printf("ERR: Failed to update service session with '%s' id: %v\n", session.ID.String(), err)
+			web.Error(w, "failed to update session", http.StatusInternalServerError)
+			return
+		}
 
 		type Response struct {
 			IdToken      string  `json:"id_token"`
@@ -268,11 +325,11 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 		}
 
 		response := Response{
-			IdToken:      tokens.ID.Token,
+			IdToken:      id.Token,
 			TokenType:    "Bearer",
-			AccessToken:  tokens.Access.Token,
-			RefreshToken: tokens.Refresh.Token,
-			ExpiresIn:    tokens.Access.Expiration,
+			AccessToken:  access.Token,
+			RefreshToken: refresh.Token,
+			ExpiresIn:    math.Ceil(access.ExpiresAt.Sub(time.Now()).Seconds()),
 		}
 
 		log.Printf("DEBUG: refresh - sending following response: %#v\n", response)

internal/repository/models.go

@@ -25,6 +25,24 @@ type ApiService struct {
 	IconUrl      *string   `json:"icon_url"`
 }
 
+type ServiceSession struct {
+	ID             uuid.UUID  `json:"id"`
+	ServiceID      uuid.UUID  `json:"service_id"`
+	ClientID       string     `json:"client_id"`
+	UserID         *uuid.UUID `json:"user_id"`
+	IssuedAt       time.Time  `json:"issued_at"`
+	ExpiresAt      *time.Time `json:"expires_at"`
+	LastActive     *time.Time `json:"last_active"`
+	IpAddress      *string    `json:"ip_address"`
+	UserAgent      *string    `json:"user_agent"`
+	AccessTokenID  *uuid.UUID `json:"access_token_id"`
+	RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
+	IsActive       bool       `json:"is_active"`
+	RevokedAt      *time.Time `json:"revoked_at"`
+	Scope          *string    `json:"scope"`
+	Claims         []byte     `json:"claims"`
+}
+
 type User struct {
 	ID             uuid.UUID  `json:"id"`
 	Email          string     `json:"email"`
@@ -41,3 +59,19 @@ type User struct {
 	AvatarVerified bool       `json:"avatar_verified"`
 	Verified       bool       `json:"verified"`
 }
+
+type UserSession struct {
+	ID             uuid.UUID  `json:"id"`
+	UserID         uuid.UUID  `json:"user_id"`
+	SessionType    string     `json:"session_type"`
+	IssuedAt       time.Time  `json:"issued_at"`
+	ExpiresAt      *time.Time `json:"expires_at"`
+	LastActive     *time.Time `json:"last_active"`
+	IpAddress      *string    `json:"ip_address"`
+	UserAgent      *string    `json:"user_agent"`
+	AccessTokenID  *uuid.UUID `json:"access_token_id"`
+	RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
+	DeviceInfo     []byte     `json:"device_info"`
+	IsActive       bool       `json:"is_active"`
+	RevokedAt      *time.Time `json:"revoked_at"`
+}

internal/repository/service_sessions.sql.go

@@ -0,0 +1,419 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: service_sessions.sql
+
+package repository
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+const createServiceSession = `-- name: CreateServiceSession :one
+INSERT INTO service_sessions (
+    service_id, client_id, user_id, issued_at, expires_at, last_active,
+    ip_address, user_agent, access_token_id, refresh_token_id,
+    is_active, scope, claims
+) VALUES (
+    $1, $2, $3, NOW(), $4, $5,
+    $6, $7, $8, $9,
+    TRUE, $10, $11
+)
+RETURNING id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims
+`
+
+type CreateServiceSessionParams struct {
+	ServiceID      uuid.UUID  `json:"service_id"`
+	ClientID       string     `json:"client_id"`
+	UserID         *uuid.UUID `json:"user_id"`
+	ExpiresAt      *time.Time `json:"expires_at"`
+	LastActive     *time.Time `json:"last_active"`
+	IpAddress      *string    `json:"ip_address"`
+	UserAgent      *string    `json:"user_agent"`
+	AccessTokenID  *uuid.UUID `json:"access_token_id"`
+	RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
+	Scope          *string    `json:"scope"`
+	Claims         []byte     `json:"claims"`
+}
+
+func (q *Queries) CreateServiceSession(ctx context.Context, arg CreateServiceSessionParams) (ServiceSession, error) {
+	row := q.db.QueryRow(ctx, createServiceSession,
+		arg.ServiceID,
+		arg.ClientID,
+		arg.UserID,
+		arg.ExpiresAt,
+		arg.LastActive,
+		arg.IpAddress,
+		arg.UserAgent,
+		arg.AccessTokenID,
+		arg.RefreshTokenID,
+		arg.Scope,
+		arg.Claims,
+	)
+	var i ServiceSession
+	err := row.Scan(
+		&i.ID,
+		&i.ServiceID,
+		&i.ClientID,
+		&i.UserID,
+		&i.IssuedAt,
+		&i.ExpiresAt,
+		&i.LastActive,
+		&i.IpAddress,
+		&i.UserAgent,
+		&i.AccessTokenID,
+		&i.RefreshTokenID,
+		&i.IsActive,
+		&i.RevokedAt,
+		&i.Scope,
+		&i.Claims,
+	)
+	return i, err
+}
+
+const getServiceSessionByAccessJTI = `-- name: GetServiceSessionByAccessJTI :one
+SELECT id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims FROM service_sessions
+WHERE access_token_id = $1
+  AND is_active = TRUE
+`
+
+func (q *Queries) GetServiceSessionByAccessJTI(ctx context.Context, accessTokenID *uuid.UUID) (ServiceSession, error) {
+	row := q.db.QueryRow(ctx, getServiceSessionByAccessJTI, accessTokenID)
+	var i ServiceSession
+	err := row.Scan(
+		&i.ID,
+		&i.ServiceID,
+		&i.ClientID,
+		&i.UserID,
+		&i.IssuedAt,
+		&i.ExpiresAt,
+		&i.LastActive,
+		&i.IpAddress,
+		&i.UserAgent,
+		&i.AccessTokenID,
+		&i.RefreshTokenID,
+		&i.IsActive,
+		&i.RevokedAt,
+		&i.Scope,
+		&i.Claims,
+	)
+	return i, err
+}
+
+const getServiceSessionByRefreshJTI = `-- name: GetServiceSessionByRefreshJTI :one
+SELECT id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims FROM service_sessions
+WHERE refresh_token_id = $1
+`
+
+func (q *Queries) GetServiceSessionByRefreshJTI(ctx context.Context, refreshTokenID *uuid.UUID) (ServiceSession, error) {
+	row := q.db.QueryRow(ctx, getServiceSessionByRefreshJTI, refreshTokenID)
+	var i ServiceSession
+	err := row.Scan(
+		&i.ID,
+		&i.ServiceID,
+		&i.ClientID,
+		&i.UserID,
+		&i.IssuedAt,
+		&i.ExpiresAt,
+		&i.LastActive,
+		&i.IpAddress,
+		&i.UserAgent,
+		&i.AccessTokenID,
+		&i.RefreshTokenID,
+		&i.IsActive,
+		&i.RevokedAt,
+		&i.Scope,
+		&i.Claims,
+	)
+	return i, err
+}
+
+const getServiceSessions = `-- name: GetServiceSessions :many
+SELECT session.id, session.service_id, session.client_id, session.user_id, session.issued_at, session.expires_at, session.last_active, session.ip_address, session.user_agent, session.access_token_id, session.refresh_token_id, session.is_active, session.revoked_at, session.scope, session.claims, service.id, service.client_id, service.client_secret, service.name, service.redirect_uris, service.scopes, service.grant_types, service.created_at, service.updated_at, service.is_active, service.description, service.icon_url, u.id, u.email, u.full_name, u.password_hash, u.is_admin, u.created_at, u.updated_at, u.last_login, u.phone_number, u.profile_picture, u.created_by, u.email_verified, u.avatar_verified, u.verified
+FROM service_sessions AS session
+JOIN api_services AS service ON service.id = session.service_id
+JOIN users AS u ON u.id = session.user_id
+ORDER BY session.issued_at DESC
+LIMIT $1 OFFSET $2
+`
+
+type GetServiceSessionsParams struct {
+	Limit  int32 `json:"limit"`
+	Offset int32 `json:"offset"`
+}
+
+type GetServiceSessionsRow struct {
+	ServiceSession ServiceSession `json:"service_session"`
+	ApiService     ApiService     `json:"api_service"`
+	User           User           `json:"user"`
+}
+
+func (q *Queries) GetServiceSessions(ctx context.Context, arg GetServiceSessionsParams) ([]GetServiceSessionsRow, error) {
+	rows, err := q.db.Query(ctx, getServiceSessions, arg.Limit, arg.Offset)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []GetServiceSessionsRow
+	for rows.Next() {
+		var i GetServiceSessionsRow
+		if err := rows.Scan(
+			&i.ServiceSession.ID,
+			&i.ServiceSession.ServiceID,
+			&i.ServiceSession.ClientID,
+			&i.ServiceSession.UserID,
+			&i.ServiceSession.IssuedAt,
+			&i.ServiceSession.ExpiresAt,
+			&i.ServiceSession.LastActive,
+			&i.ServiceSession.IpAddress,
+			&i.ServiceSession.UserAgent,
+			&i.ServiceSession.AccessTokenID,
+			&i.ServiceSession.RefreshTokenID,
+			&i.ServiceSession.IsActive,
+			&i.ServiceSession.RevokedAt,
+			&i.ServiceSession.Scope,
+			&i.ServiceSession.Claims,
+			&i.ApiService.ID,
+			&i.ApiService.ClientID,
+			&i.ApiService.ClientSecret,
+			&i.ApiService.Name,
+			&i.ApiService.RedirectUris,
+			&i.ApiService.Scopes,
+			&i.ApiService.GrantTypes,
+			&i.ApiService.CreatedAt,
+			&i.ApiService.UpdatedAt,
+			&i.ApiService.IsActive,
+			&i.ApiService.Description,
+			&i.ApiService.IconUrl,
+			&i.User.ID,
+			&i.User.Email,
+			&i.User.FullName,
+			&i.User.PasswordHash,
+			&i.User.IsAdmin,
+			&i.User.CreatedAt,
+			&i.User.UpdatedAt,
+			&i.User.LastLogin,
+			&i.User.PhoneNumber,
+			&i.User.ProfilePicture,
+			&i.User.CreatedBy,
+			&i.User.EmailVerified,
+			&i.User.AvatarVerified,
+			&i.User.Verified,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getServiceSessionsCount = `-- name: GetServiceSessionsCount :one
+SELECT COUNT(*) FROM service_sessions
+`
+
+func (q *Queries) GetServiceSessionsCount(ctx context.Context) (int64, error) {
+	row := q.db.QueryRow(ctx, getServiceSessionsCount)
+	var count int64
+	err := row.Scan(&count)
+	return count, err
+}
+
+const listActiveServiceSessionsByClient = `-- name: ListActiveServiceSessionsByClient :many
+SELECT id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims FROM service_sessions
+WHERE client_id = $1
+  AND is_active = TRUE
+ORDER BY issued_at DESC
+LIMIT $1 OFFSET $2
+`
+
+type ListActiveServiceSessionsByClientParams struct {
+	Limit  int32 `json:"limit"`
+	Offset int32 `json:"offset"`
+}
+
+func (q *Queries) ListActiveServiceSessionsByClient(ctx context.Context, arg ListActiveServiceSessionsByClientParams) ([]ServiceSession, error) {
+	rows, err := q.db.Query(ctx, listActiveServiceSessionsByClient, arg.Limit, arg.Offset)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ServiceSession
+	for rows.Next() {
+		var i ServiceSession
+		if err := rows.Scan(
+			&i.ID,
+			&i.ServiceID,
+			&i.ClientID,
+			&i.UserID,
+			&i.IssuedAt,
+			&i.ExpiresAt,
+			&i.LastActive,
+			&i.IpAddress,
+			&i.UserAgent,
+			&i.AccessTokenID,
+			&i.RefreshTokenID,
+			&i.IsActive,
+			&i.RevokedAt,
+			&i.Scope,
+			&i.Claims,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listActiveServiceSessionsByUser = `-- name: ListActiveServiceSessionsByUser :many
+SELECT id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims FROM service_sessions
+WHERE user_id = $1
+  AND is_active = TRUE
+ORDER BY issued_at DESC
+LIMIT $1 OFFSET $2
+`
+
+type ListActiveServiceSessionsByUserParams struct {
+	Limit  int32 `json:"limit"`
+	Offset int32 `json:"offset"`
+}
+
+func (q *Queries) ListActiveServiceSessionsByUser(ctx context.Context, arg ListActiveServiceSessionsByUserParams) ([]ServiceSession, error) {
+	rows, err := q.db.Query(ctx, listActiveServiceSessionsByUser, arg.Limit, arg.Offset)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ServiceSession
+	for rows.Next() {
+		var i ServiceSession
+		if err := rows.Scan(
+			&i.ID,
+			&i.ServiceID,
+			&i.ClientID,
+			&i.UserID,
+			&i.IssuedAt,
+			&i.ExpiresAt,
+			&i.LastActive,
+			&i.IpAddress,
+			&i.UserAgent,
+			&i.AccessTokenID,
+			&i.RefreshTokenID,
+			&i.IsActive,
+			&i.RevokedAt,
+			&i.Scope,
+			&i.Claims,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listAllServiceSessions = `-- name: ListAllServiceSessions :many
+SELECT id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims FROM service_sessions
+ORDER BY issued_at DESC
+LIMIT $1 OFFSET $2
+`
+
+type ListAllServiceSessionsParams struct {
+	Limit  int32 `json:"limit"`
+	Offset int32 `json:"offset"`
+}
+
+func (q *Queries) ListAllServiceSessions(ctx context.Context, arg ListAllServiceSessionsParams) ([]ServiceSession, error) {
+	rows, err := q.db.Query(ctx, listAllServiceSessions, arg.Limit, arg.Offset)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ServiceSession
+	for rows.Next() {
+		var i ServiceSession
+		if err := rows.Scan(
+			&i.ID,
+			&i.ServiceID,
+			&i.ClientID,
+			&i.UserID,
+			&i.IssuedAt,
+			&i.ExpiresAt,
+			&i.LastActive,
+			&i.IpAddress,
+			&i.UserAgent,
+			&i.AccessTokenID,
+			&i.RefreshTokenID,
+			&i.IsActive,
+			&i.RevokedAt,
+			&i.Scope,
+			&i.Claims,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const revokeServiceSession = `-- name: RevokeServiceSession :exec
+UPDATE service_sessions
+SET is_active = FALSE,
+    revoked_at = NOW()
+WHERE id = $1
+  AND is_active = TRUE
+`
+
+func (q *Queries) RevokeServiceSession(ctx context.Context, id uuid.UUID) error {
+	_, err := q.db.Exec(ctx, revokeServiceSession, id)
+	return err
+}
+
+const updateServiceSessionLastActive = `-- name: UpdateServiceSessionLastActive :exec
+UPDATE service_sessions
+SET last_active = NOW()
+WHERE id = $1
+  AND is_active = TRUE
+`
+
+func (q *Queries) UpdateServiceSessionLastActive(ctx context.Context, id uuid.UUID) error {
+	_, err := q.db.Exec(ctx, updateServiceSessionLastActive, id)
+	return err
+}
+
+const updateServiceSessionTokens = `-- name: UpdateServiceSessionTokens :exec
+UPDATE service_sessions
+SET access_token_id = $2, refresh_token_id = $3, expires_at = $4
+WHERE id = $1
+  AND is_active = TRUE
+`
+
+type UpdateServiceSessionTokensParams struct {
+	ID             uuid.UUID  `json:"id"`
+	AccessTokenID  *uuid.UUID `json:"access_token_id"`
+	RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
+	ExpiresAt      *time.Time `json:"expires_at"`
+}
+
+func (q *Queries) UpdateServiceSessionTokens(ctx context.Context, arg UpdateServiceSessionTokensParams) error {
+	_, err := q.db.Exec(ctx, updateServiceSessionTokens,
+		arg.ID,
+		arg.AccessTokenID,
+		arg.RefreshTokenID,
+		arg.ExpiresAt,
+	)
+	return err
+}

internal/repository/user_sessions.sql.go

@@ -0,0 +1,334 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: user_sessions.sql
+
+package repository
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+const createUserSession = `-- name: CreateUserSession :one
+INSERT INTO user_sessions (
+    user_id, session_type, issued_at, expires_at, last_active,
+    ip_address, user_agent, access_token_id, refresh_token_id,
+    device_info, is_active
+) VALUES (
+    $1, $2, NOW(), $3, $4,
+    $5, $6, $7, $8,
+    $9, TRUE
+)
+RETURNING id, user_id, session_type, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, device_info, is_active, revoked_at
+`
+
+type CreateUserSessionParams struct {
+	UserID         uuid.UUID  `json:"user_id"`
+	SessionType    string     `json:"session_type"`
+	ExpiresAt      *time.Time `json:"expires_at"`
+	LastActive     *time.Time `json:"last_active"`
+	IpAddress      *string    `json:"ip_address"`
+	UserAgent      *string    `json:"user_agent"`
+	AccessTokenID  *uuid.UUID `json:"access_token_id"`
+	RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
+	DeviceInfo     []byte     `json:"device_info"`
+}
+
+func (q *Queries) CreateUserSession(ctx context.Context, arg CreateUserSessionParams) (UserSession, error) {
+	row := q.db.QueryRow(ctx, createUserSession,
+		arg.UserID,
+		arg.SessionType,
+		arg.ExpiresAt,
+		arg.LastActive,
+		arg.IpAddress,
+		arg.UserAgent,
+		arg.AccessTokenID,
+		arg.RefreshTokenID,
+		arg.DeviceInfo,
+	)
+	var i UserSession
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.SessionType,
+		&i.IssuedAt,
+		&i.ExpiresAt,
+		&i.LastActive,
+		&i.IpAddress,
+		&i.UserAgent,
+		&i.AccessTokenID,
+		&i.RefreshTokenID,
+		&i.DeviceInfo,
+		&i.IsActive,
+		&i.RevokedAt,
+	)
+	return i, err
+}
+
+const getUserSessionByAccessJTI = `-- name: GetUserSessionByAccessJTI :one
+SELECT id, user_id, session_type, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, device_info, is_active, revoked_at FROM user_sessions
+WHERE access_token_id = $1
+  AND is_active = TRUE
+`
+
+func (q *Queries) GetUserSessionByAccessJTI(ctx context.Context, accessTokenID *uuid.UUID) (UserSession, error) {
+	row := q.db.QueryRow(ctx, getUserSessionByAccessJTI, accessTokenID)
+	var i UserSession
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.SessionType,
+		&i.IssuedAt,
+		&i.ExpiresAt,
+		&i.LastActive,
+		&i.IpAddress,
+		&i.UserAgent,
+		&i.AccessTokenID,
+		&i.RefreshTokenID,
+		&i.DeviceInfo,
+		&i.IsActive,
+		&i.RevokedAt,
+	)
+	return i, err
+}
+
+const getUserSessionByRefreshJTI = `-- name: GetUserSessionByRefreshJTI :one
+SELECT id, user_id, session_type, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, device_info, is_active, revoked_at FROM user_sessions
+WHERE refresh_token_id = $1
+`
+
+func (q *Queries) GetUserSessionByRefreshJTI(ctx context.Context, refreshTokenID *uuid.UUID) (UserSession, error) {
+	row := q.db.QueryRow(ctx, getUserSessionByRefreshJTI, refreshTokenID)
+	var i UserSession
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.SessionType,
+		&i.IssuedAt,
+		&i.ExpiresAt,
+		&i.LastActive,
+		&i.IpAddress,
+		&i.UserAgent,
+		&i.AccessTokenID,
+		&i.RefreshTokenID,
+		&i.DeviceInfo,
+		&i.IsActive,
+		&i.RevokedAt,
+	)
+	return i, err
+}
+
+const getUserSessions = `-- name: GetUserSessions :many
+SELECT session.id, session.user_id, session.session_type, session.issued_at, session.expires_at, session.last_active, session.ip_address, session.user_agent, session.access_token_id, session.refresh_token_id, session.device_info, session.is_active, session.revoked_at, u.id, u.email, u.full_name, u.password_hash, u.is_admin, u.created_at, u.updated_at, u.last_login, u.phone_number, u.profile_picture, u.created_by, u.email_verified, u.avatar_verified, u.verified
+FROM user_sessions AS session
+JOIN users AS u ON u.id = session.user_id
+ORDER BY session.issued_at DESC
+LIMIT $1 OFFSET $2
+`
+
+type GetUserSessionsParams struct {
+	Limit  int32 `json:"limit"`
+	Offset int32 `json:"offset"`
+}
+
+type GetUserSessionsRow struct {
+	UserSession UserSession `json:"user_session"`
+	User        User        `json:"user"`
+}
+
+func (q *Queries) GetUserSessions(ctx context.Context, arg GetUserSessionsParams) ([]GetUserSessionsRow, error) {
+	rows, err := q.db.Query(ctx, getUserSessions, arg.Limit, arg.Offset)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []GetUserSessionsRow
+	for rows.Next() {
+		var i GetUserSessionsRow
+		if err := rows.Scan(
+			&i.UserSession.ID,
+			&i.UserSession.UserID,
+			&i.UserSession.SessionType,
+			&i.UserSession.IssuedAt,
+			&i.UserSession.ExpiresAt,
+			&i.UserSession.LastActive,
+			&i.UserSession.IpAddress,
+			&i.UserSession.UserAgent,
+			&i.UserSession.AccessTokenID,
+			&i.UserSession.RefreshTokenID,
+			&i.UserSession.DeviceInfo,
+			&i.UserSession.IsActive,
+			&i.UserSession.RevokedAt,
+			&i.User.ID,
+			&i.User.Email,
+			&i.User.FullName,
+			&i.User.PasswordHash,
+			&i.User.IsAdmin,
+			&i.User.CreatedAt,
+			&i.User.UpdatedAt,
+			&i.User.LastLogin,
+			&i.User.PhoneNumber,
+			&i.User.ProfilePicture,
+			&i.User.CreatedBy,
+			&i.User.EmailVerified,
+			&i.User.AvatarVerified,
+			&i.User.Verified,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getUserSessionsCount = `-- name: GetUserSessionsCount :one
+SELECT COUNT(*) FROM user_sessions
+`
+
+func (q *Queries) GetUserSessionsCount(ctx context.Context) (int64, error) {
+	row := q.db.QueryRow(ctx, getUserSessionsCount)
+	var count int64
+	err := row.Scan(&count)
+	return count, err
+}
+
+const listActiveUserSessions = `-- name: ListActiveUserSessions :many
+SELECT id, user_id, session_type, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, device_info, is_active, revoked_at FROM user_sessions
+WHERE user_id = $1
+  AND is_active = TRUE
+ORDER BY issued_at DESC
+`
+
+func (q *Queries) ListActiveUserSessions(ctx context.Context, userID uuid.UUID) ([]UserSession, error) {
+	rows, err := q.db.Query(ctx, listActiveUserSessions, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []UserSession
+	for rows.Next() {
+		var i UserSession
+		if err := rows.Scan(
+			&i.ID,
+			&i.UserID,
+			&i.SessionType,
+			&i.IssuedAt,
+			&i.ExpiresAt,
+			&i.LastActive,
+			&i.IpAddress,
+			&i.UserAgent,
+			&i.AccessTokenID,
+			&i.RefreshTokenID,
+			&i.DeviceInfo,
+			&i.IsActive,
+			&i.RevokedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listAllSessions = `-- name: ListAllSessions :many
+SELECT id, user_id, session_type, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, device_info, is_active, revoked_at FROM user_sessions
+ORDER BY issued_at DESC
+LIMIT $1 OFFSET $2
+`
+
+type ListAllSessionsParams struct {
+	Limit  int32 `json:"limit"`
+	Offset int32 `json:"offset"`
+}
+
+func (q *Queries) ListAllSessions(ctx context.Context, arg ListAllSessionsParams) ([]UserSession, error) {
+	rows, err := q.db.Query(ctx, listAllSessions, arg.Limit, arg.Offset)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []UserSession
+	for rows.Next() {
+		var i UserSession
+		if err := rows.Scan(
+			&i.ID,
+			&i.UserID,
+			&i.SessionType,
+			&i.IssuedAt,
+			&i.ExpiresAt,
+			&i.LastActive,
+			&i.IpAddress,
+			&i.UserAgent,
+			&i.AccessTokenID,
+			&i.RefreshTokenID,
+			&i.DeviceInfo,
+			&i.IsActive,
+			&i.RevokedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const revokeUserSession = `-- name: RevokeUserSession :exec
+UPDATE user_sessions
+SET is_active = FALSE,
+    revoked_at = NOW()
+WHERE id = $1
+  AND is_active = TRUE
+`
+
+func (q *Queries) RevokeUserSession(ctx context.Context, id uuid.UUID) error {
+	_, err := q.db.Exec(ctx, revokeUserSession, id)
+	return err
+}
+
+const updateSessionLastActive = `-- name: UpdateSessionLastActive :exec
+UPDATE user_sessions
+SET last_active = NOW()
+WHERE id = $1
+  AND is_active = TRUE
+`
+
+func (q *Queries) UpdateSessionLastActive(ctx context.Context, id uuid.UUID) error {
+	_, err := q.db.Exec(ctx, updateSessionLastActive, id)
+	return err
+}
+
+const updateSessionTokens = `-- name: UpdateSessionTokens :exec
+UPDATE user_sessions
+SET access_token_id = $2, refresh_token_id = $3, expires_at = $4
+WHERE id = $1
+  AND is_active = TRUE
+`
+
+type UpdateSessionTokensParams struct {
+	ID             uuid.UUID  `json:"id"`
+	AccessTokenID  *uuid.UUID `json:"access_token_id"`
+	RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
+	ExpiresAt      *time.Time `json:"expires_at"`
+}
+
+func (q *Queries) UpdateSessionTokens(ctx context.Context, arg UpdateSessionTokensParams) error {
+	_, err := q.db.Exec(ctx, updateSessionTokens,
+		arg.ID,
+		arg.AccessTokenID,
+		arg.RefreshTokenID,
+		arg.ExpiresAt,
+	)
+	return err
+}

internal/types/apiservices.go

@@ -0,0 +1,38 @@
+package types
+
+import (
+	"time"
+
+	"gitea.local/admin/hspguard/internal/repository"
+	"github.com/google/uuid"
+)
+
+type ApiServiceDTO struct {
+	ID           uuid.UUID `json:"id"`
+	ClientID     string    `json:"client_id"`
+	Name         string    `json:"name"`
+	Description  *string   `json:"description"`
+	IconUrl      *string   `json:"icon_url"`
+	RedirectUris []string  `json:"redirect_uris"`
+	Scopes       []string  `json:"scopes"`
+	GrantTypes   []string  `json:"grant_types"`
+	CreatedAt    time.Time `json:"created_at"`
+	UpdatedAt    time.Time `json:"updated_at"`
+	IsActive     bool      `json:"is_active"`
+}
+
+func NewApiServiceDTO(service repository.ApiService) ApiServiceDTO {
+	return ApiServiceDTO{
+		ID:           service.ID,
+		ClientID:     service.ClientID,
+		Name:         service.Name,
+		Description:  service.Description,
+		IconUrl:      service.IconUrl,
+		RedirectUris: service.RedirectUris,
+		Scopes:       service.Scopes,
+		GrantTypes:   service.GrantTypes,
+		CreatedAt:    service.CreatedAt,
+		UpdatedAt:    service.UpdatedAt,
+		IsActive:     service.IsActive,
+	}
+}

internal/types/device.go

@@ -0,0 +1,12 @@
+package types
+
+type DeviceInfo struct {
+	DeviceType     string `json:"device_type"`
+	OS             string `json:"os"`
+	OSVersion      string `json:"os_version"`
+	Browser        string `json:"browser"`
+	BrowserVersion string `json:"browser_version"`
+	DeviceName     string `json:"device_name"`
+	UserAgent      string `json:"user_agent"`
+	Location       string `json:"location"`
+}

internal/types/middleware.go

@@ -3,4 +3,4 @@ package types
 type contextKey string
 
 const UserIdKey contextKey = "userID"
-
+const JTIKey contextKey = "jti"

internal/types/session.go

@@ -0,0 +1,29 @@
+package types
+
+import "gitea.local/admin/hspguard/internal/repository"
+
+type ServiceSessionDTO struct {
+	User       UserDTO       `json:"user"`
+	ApiService ApiServiceDTO `json:"api_service"`
+	repository.ServiceSession
+}
+
+func NewServiceSessionDTO(row *repository.GetServiceSessionsRow) *ServiceSessionDTO {
+	return &ServiceSessionDTO{
+		User:           NewUserDTO(&row.User),
+		ApiService:     NewApiServiceDTO(row.ApiService),
+		ServiceSession: row.ServiceSession,
+	}
+}
+
+type UserSessionDTO struct {
+	User UserDTO `json:"user"`
+	repository.UserSession
+}
+
+func NewUserSessionDTO(row *repository.GetUserSessionsRow) *UserSessionDTO {
+	return &UserSessionDTO{
+		User:        NewUserDTO(&row.User),
+		UserSession: row.UserSession,
+	}
+}

internal/types/token.go

@@ -0,0 +1,21 @@
+package types
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type SignedToken struct {
+	Token     string
+	ExpiresAt time.Time
+	ID        uuid.UUID
+}
+
+func NewSignedToken(token string, expiresAt time.Time, jti uuid.UUID) *SignedToken {
+	return &SignedToken{
+		Token:     token,
+		ExpiresAt: expiresAt,
+		ID:        jti,
+	}
+}

internal/user/routes.go

@@ -38,7 +38,7 @@ func NewUserHandler(repo *repository.Queries, minio *storage.FileStorage, cfg *c
 
 func (h *UserHandler) RegisterRoutes(api chi.Router) {
 	api.Group(func(protected chi.Router) {
-		authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
+		authMiddleware := imiddleware.NewAuthMiddleware(h.cfg, h.repo)
 		protected.Use(authMiddleware.Runner)
 
 		protected.Put("/avatar", h.uploadAvatar)

internal/util/location.go

@@ -0,0 +1,46 @@
+package util
+
+import (
+	"encoding/json"
+	"log"
+	"net"
+	"net/http"
+	"strings"
+)
+
+type LocationResult struct {
+	Country string `json:"country"`
+	Region  string `json:"regionName"`
+	City    string `json:"city"`
+}
+
+func GetLocation(ip string) (LocationResult, error) {
+	var loc LocationResult
+	// Example using ipinfo.io free API
+	resp, err := http.Get("http://ip-api.com/json/" + ip + "?fields=25")
+	if err != nil {
+		return loc, err
+	}
+	defer resp.Body.Close()
+	json.NewDecoder(resp.Body).Decode(&loc)
+	return loc, nil
+}
+
+func GetClientIP(r *http.Request) string {
+	// This header will be set by ngrok to the original client IP
+	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
+		log.Printf("DEBUG: Getting IP from X-Forwarded-For: %s\n", xff)
+		// X-Forwarded-For: client, proxy1, proxy2, ...
+		ips := strings.Split(xff, ",")
+		if len(ips) > 0 {
+			return strings.TrimSpace(ips[0])
+		}
+	}
+	// Fallback to RemoteAddr (not the real client IP, but just in case)
+	host, _, err := net.SplitHostPort(r.RemoteAddr)
+	log.Printf("DEBUG: Falling to request remote addr: %s (%s)\n", host, r.RemoteAddr)
+	if err != nil {
+		return r.RemoteAddr
+	}
+	return host
+}

internal/util/request.go

@@ -11,3 +11,7 @@ func GetRequestUserId(ctx context.Context) (string, bool) {
 	return userId, ok
 }
 
+func GetRequestJTI(ctx context.Context) (string, bool) {
+	jti, ok := ctx.Value(types.JTIKey).(string)
+	return jti, ok
+}

internal/util/session.go

@@ -0,0 +1,39 @@
+package util
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+
+	"gitea.local/admin/hspguard/internal/types"
+	"github.com/avct/uasurfer"
+)
+
+func BuildDeviceInfo(userAgent string, remoteAddr string) []byte {
+	var deviceInfo types.DeviceInfo
+
+	parsed := uasurfer.Parse(userAgent)
+
+	deviceInfo.Browser = parsed.Browser.Name.StringTrimPrefix()
+	deviceInfo.BrowserVersion = fmt.Sprintf("%d.%d.%d", parsed.Browser.Version.Major, parsed.Browser.Version.Minor, parsed.Browser.Version.Patch)
+	deviceInfo.DeviceName = fmt.Sprintf("%s %s", parsed.OS.Platform.StringTrimPrefix(), parsed.OS.Name.StringTrimPrefix())
+	deviceInfo.DeviceType = parsed.DeviceType.StringTrimPrefix()
+	deviceInfo.OS = parsed.OS.Platform.StringTrimPrefix()
+	deviceInfo.OSVersion = fmt.Sprintf("%d.%d.%d", parsed.OS.Version.Major, parsed.OS.Version.Minor, parsed.OS.Version.Patch)
+	deviceInfo.UserAgent = userAgent
+
+	if location, err := GetLocation(remoteAddr); err != nil {
+		log.Printf("WARN: Failed to get location from ip (%s): %v\n", remoteAddr, err)
+	} else {
+		log.Printf("DEBUG: Response from IP fetcher: %#v\n", location)
+		deviceInfo.Location = fmt.Sprintf("%s, %s, %s", location.Country, location.Region, location.City)
+	}
+
+	serialized, err := json.Marshal(deviceInfo)
+	if err != nil {
+		log.Printf("ERR: Failed to serialize device info: %v\n", err)
+		serialized = []byte{'{', '}'}
+	}
+
+	return serialized
+}

migrations/00011_add_user_sessions_table.sql

@@ -0,0 +1,34 @@
+-- +goose Up
+-- +goose StatementBegin
+CREATE TABLE user_sessions (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
+    user_id UUID REFERENCES users (id) NOT NULL,
+    session_type VARCHAR(32) NOT NULL DEFAULT 'user', -- e.g. 'user', 'admin'
+    issued_at TIMESTAMP
+    WITH
+        TIME ZONE NOT NULL DEFAULT NOW (),
+        expires_at TIMESTAMP
+    WITH
+        TIME ZONE,
+        last_active TIMESTAMP
+    WITH
+        TIME ZONE,
+        ip_address VARCHAR(45), -- supports IPv4/IPv6
+        user_agent TEXT,
+        access_token_id UUID,
+        refresh_token_id UUID,
+        device_info JSONB, -- optional: structured info (browser, OS, etc.)
+        is_active BOOLEAN NOT NULL DEFAULT TRUE,
+        revoked_at TIMESTAMP
+    WITH
+        TIME ZONE
+);
+
+CREATE INDEX IF NOT EXISTS idx_user_sessions_user_id ON user_sessions (user_id);
+
+-- +goose StatementEnd
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS user_sessions;
+
+-- +goose StatementEnd

migrations/00012_add_service_sessions.sql

@@ -0,0 +1,38 @@
+-- +goose Up
+-- +goose StatementBegin
+CREATE TABLE service_sessions (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
+    service_id UUID REFERENCES api_services (id) NOT NULL,
+    client_id TEXT NOT NULL,
+    user_id UUID REFERENCES users (id), -- user on behalf of whom the service is acting, nullable for direct use with client creds
+    issued_at TIMESTAMP
+    WITH
+        TIME ZONE NOT NULL DEFAULT NOW (),
+        expires_at TIMESTAMP
+    WITH
+        TIME ZONE,
+        last_active TIMESTAMP
+    WITH
+        TIME ZONE,
+        ip_address VARCHAR(45),
+        user_agent TEXT,
+        access_token_id UUID,
+        refresh_token_id UUID,
+        is_active BOOLEAN NOT NULL DEFAULT TRUE,
+        revoked_at TIMESTAMP
+    WITH
+        TIME ZONE,
+        scope TEXT, -- what scopes/permissions this session was issued for
+        claims JSONB -- snapshot of claims at session start, optional
+);
+
+CREATE INDEX IF NOT EXISTS idx_service_sessions_client_id ON service_sessions (client_id);
+
+CREATE INDEX IF NOT EXISTS idx_service_sessions_user_id ON service_sessions (user_id);
+
+-- +goose StatementEnd
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS service_sessions;
+
+-- +goose StatementEnd

queries/service_sessions.sql

@@ -0,0 +1,69 @@
+-- name: CreateServiceSession :one
+INSERT INTO service_sessions (
+    service_id, client_id, user_id, issued_at, expires_at, last_active,
+    ip_address, user_agent, access_token_id, refresh_token_id,
+    is_active, scope, claims
+) VALUES (
+    $1, $2, $3, NOW(), $4, $5,
+    $6, $7, $8, $9,
+    TRUE, $10, $11
+)
+RETURNING *;
+
+-- name: ListActiveServiceSessionsByClient :many
+SELECT * FROM service_sessions
+WHERE client_id = $1
+  AND is_active = TRUE
+ORDER BY issued_at DESC
+LIMIT $1 OFFSET $2;
+
+-- name: ListActiveServiceSessionsByUser :many
+SELECT * FROM service_sessions
+WHERE user_id = $1
+  AND is_active = TRUE
+ORDER BY issued_at DESC
+LIMIT $1 OFFSET $2;
+
+-- name: GetServiceSessionByAccessJTI :one
+SELECT * FROM service_sessions
+WHERE access_token_id = $1
+  AND is_active = TRUE;
+
+-- name: GetServiceSessionByRefreshJTI :one
+SELECT * FROM service_sessions
+WHERE refresh_token_id = $1;
+
+-- name: RevokeServiceSession :exec
+UPDATE service_sessions
+SET is_active = FALSE,
+    revoked_at = NOW()
+WHERE id = $1
+  AND is_active = TRUE;
+
+-- name: UpdateServiceSessionLastActive :exec
+UPDATE service_sessions
+SET last_active = NOW()
+WHERE id = $1
+  AND is_active = TRUE;
+
+-- name: UpdateServiceSessionTokens :exec
+UPDATE service_sessions
+SET access_token_id = $2, refresh_token_id = $3, expires_at = $4
+WHERE id = $1
+  AND is_active = TRUE;
+
+-- name: ListAllServiceSessions :many
+SELECT * FROM service_sessions
+ORDER BY issued_at DESC
+LIMIT $1 OFFSET $2;
+
+-- name: GetServiceSessions :many
+SELECT sqlc.embed(session), sqlc.embed(service), sqlc.embed(u)
+FROM service_sessions AS session
+JOIN api_services AS service ON service.id = session.service_id
+JOIN users AS u ON u.id = session.user_id
+ORDER BY session.issued_at DESC
+LIMIT $1 OFFSET $2;
+
+-- name: GetServiceSessionsCount :one
+SELECT COUNT(*) FROM service_sessions;

queries/user_sessions.sql

@@ -0,0 +1,60 @@
+-- name: CreateUserSession :one
+INSERT INTO user_sessions (
+    user_id, session_type, issued_at, expires_at, last_active,
+    ip_address, user_agent, access_token_id, refresh_token_id,
+    device_info, is_active
+) VALUES (
+    $1, $2, NOW(), $3, $4,
+    $5, $6, $7, $8,
+    $9, TRUE
+)
+RETURNING *;
+
+-- name: ListActiveUserSessions :many
+SELECT * FROM user_sessions
+WHERE user_id = $1
+  AND is_active = TRUE
+ORDER BY issued_at DESC;
+
+-- name: GetUserSessionByAccessJTI :one
+SELECT * FROM user_sessions
+WHERE access_token_id = $1
+  AND is_active = TRUE;
+
+-- name: GetUserSessionByRefreshJTI :one
+SELECT * FROM user_sessions
+WHERE refresh_token_id = $1;
+
+-- name: RevokeUserSession :exec
+UPDATE user_sessions
+SET is_active = FALSE,
+    revoked_at = NOW()
+WHERE id = $1
+  AND is_active = TRUE;
+
+-- name: UpdateSessionLastActive :exec
+UPDATE user_sessions
+SET last_active = NOW()
+WHERE id = $1
+  AND is_active = TRUE;
+
+-- name: UpdateSessionTokens :exec
+UPDATE user_sessions
+SET access_token_id = $2, refresh_token_id = $3, expires_at = $4
+WHERE id = $1
+  AND is_active = TRUE;
+
+-- name: ListAllSessions :many
+SELECT * FROM user_sessions
+ORDER BY issued_at DESC
+LIMIT $1 OFFSET $2;
+
+-- name: GetUserSessions :many
+SELECT sqlc.embed(session), sqlc.embed(u)
+FROM user_sessions AS session
+JOIN users AS u ON u.id = session.user_id
+ORDER BY session.issued_at DESC
+LIMIT $1 OFFSET $2;
+
+-- name: GetUserSessionsCount :one
+SELECT COUNT(*) FROM user_sessions;

sqlc.yaml

@@ -41,20 +41,39 @@ sql:
           # ───── text ──────────────────────────────────────────
           - db_type: "pg_catalog.text"
             go_type: { type: "string" }
-          - db_type: "text" # or just "bool"
+
+          - db_type: "text"
             go_type: { type: "string" }
 
           - db_type: "pg_catalog.text"
             nullable: true
             go_type:
               type: "string"
-              pointer: true # ⇒ *bool for NULLable columns
+              pointer: true
 
           - db_type: "text"
             nullable: true
             go_type:
               type: "string"
-              pointer: true # ⇒ *bool for NULLable columns
+              pointer: true
+
+          - db_type: "pg_catalog.varchar"
+            go_type: { type: "string" }
+
+          - db_type: "varchar"
+            go_type: { type: "string" }
+
+          - db_type: "pg_catalog.varchar"
+            nullable: true
+            go_type:
+              type: "string"
+              pointer: true
+
+          - db_type: "varchar"
+            nullable: true
+            go_type:
+              type: "string"
+              pointer: true
 
           # ───── timestamp (WITHOUT TZ) ────────────────────────
           - db_type: "pg_catalog.timestamp" # or "timestamp"

web/package-lock.json

@@ -12,6 +12,7 @@
         "axios": "^1.9.0",
         "idb": "^8.0.3",
         "lucide-react": "^0.511.0",
+        "moment": "^2.30.1",
         "next-themes": "^0.4.6",
         "react": "^19.1.0",
         "react-dom": "^19.1.0",
@@ -3809,6 +3810,15 @@
         "url": "https://github.com/sponsors/isaacs"
       }
     },
+    "node_modules/moment": {
+      "version": "2.30.1",
+      "resolved": "https://registry.npmjs.org/moment/-/moment-2.30.1.tgz",
+      "integrity": "sha512-uEmtNhbDOrWPFS+hdjFCBfy9f2YoyzRpwcl+DqpC6taX21FzsTLQVbMV/W7PzNSX6x/bhC1zA3c2UQ5NzH6how==",
+      "license": "MIT",
+      "engines": {
+        "node": "*"
+      }
+    },
     "node_modules/ms": {
       "version": "2.1.3",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",

web/package.json

@@ -15,6 +15,7 @@
     "axios": "^1.9.0",
     "idb": "^8.0.3",
     "lucide-react": "^0.511.0",
+    "moment": "^2.30.1",
     "next-themes": "^0.4.6",
     "react": "^19.1.0",
     "react-dom": "^19.1.0",

web/src/App.tsx

@@ -25,6 +25,8 @@ import VerifyEmailPage from "./pages/Verify/Email";
 import VerifyEmailOtpPage from "./pages/Verify/Email/OTP";
 import VerifyAvatarPage from "./pages/Verify/Avatar";
 import VerifyReviewPage from "./pages/Verify/Review";
+import AdminUserSessionsPage from "./pages/Admin/UserSessions";
+import AdminServiceSessionsPage from "./pages/Admin/ServiceSessions";
 
 const router = createBrowserRouter([
   {
@@ -81,6 +83,16 @@ const router = createBrowserRouter([
                   // },
                 ],
               },
+              {
+                path: "user-sessions",
+                children: [{ index: true, element: <AdminUserSessionsPage /> }],
+              },
+              {
+                path: "service-sessions",
+                children: [
+                  { index: true, element: <AdminServiceSessionsPage /> },
+                ],
+              },
             ],
           },
         ],

web/src/api/admin/sessions.ts

@@ -0,0 +1,78 @@
+import type { ServiceSession, UserSession } from "@/types";
+import { axios, handleApiError } from "..";
+
+export interface FetchUserSessionsRequest {
+  page: number;
+  size: number;
+}
+
+export interface FetchUserSessionsResponse {
+  items: UserSession[];
+  page: number;
+  total_pages: number;
+}
+
+export const adminGetUserSessionsApi = async (
+  req: FetchUserSessionsRequest,
+): Promise<FetchUserSessionsResponse> => {
+  const response = await axios.get<FetchUserSessionsResponse>(
+    "/api/v1/admin/user-sessions",
+    {
+      params: req,
+    },
+  );
+
+  if (response.status !== 200 && response.status !== 201)
+    throw await handleApiError(response);
+
+  return response.data;
+};
+
+export const adminRevokeUserSessionApi = async (
+  sessionId: string,
+): Promise<void> => {
+  const response = await axios.patch<FetchServiceSessionsResponse>(
+    `/api/v1/admin/user-sessions/revoke/${sessionId}`,
+  );
+
+  if (response.status !== 200 && response.status !== 201)
+    throw await handleApiError(response);
+};
+
+export interface FetchServiceSessionsRequest {
+  page: number;
+  size: number;
+}
+
+export interface FetchServiceSessionsResponse {
+  items: ServiceSession[];
+  page: number;
+  total_pages: number;
+}
+
+export const adminGetServiceSessionsApi = async (
+  req: FetchServiceSessionsRequest,
+): Promise<FetchServiceSessionsResponse> => {
+  const response = await axios.get<FetchServiceSessionsResponse>(
+    "/api/v1/admin/service-sessions",
+    {
+      params: req,
+    },
+  );
+
+  if (response.status !== 200 && response.status !== 201)
+    throw await handleApiError(response);
+
+  return response.data;
+};
+
+export const adminRevokeServiceSessionApi = async (
+  sessionId: string,
+): Promise<void> => {
+  const response = await axios.patch<FetchServiceSessionsResponse>(
+    `/api/v1/admin/service-sessions/revoke/${sessionId}`,
+  );
+
+  if (response.status !== 200 && response.status !== 201)
+    throw await handleApiError(response);
+};

web/src/api/index.ts

@@ -27,11 +27,13 @@ const processRefreshQueue = async (token: string | null) => {
 
 const logout = async (accountId: string) => {
   const db = useDbStore.getState().db;
-  const requireSignIn = useAuth.getState().requireSignIn;
+  const { requireSignIn, loadAccounts } = useAuth.getState();
 
   if (db) {
     await deleteAccount(db, accountId);
   }
+  await loadAccounts();
+
   requireSignIn?.();
 };
 

web/src/api/signout.ts

@@ -0,0 +1,21 @@
+import axios from "axios";
+import { handleApiError } from ".";
+
+export const signoutApi = async (token: string) => {
+  const response = await axios.post(
+    "/api/v1/auth/signout",
+    {},
+    {
+      headers: {
+        Authorization: `Bearer ${token}`,
+      },
+    },
+  );
+
+  if (response.status !== 200 && response.status !== 201)
+    throw await handleApiError(response);
+
+  const data = response.data;
+
+  return data;
+};

web/src/components/Home/Sidebar/index.tsx

@@ -7,17 +7,32 @@ const Sidebar: FC = () => {
 
   return (
     <div className="hidden sm:flex flex-col gap-2 items-stretch border-r border-gray-300 dark:border-gray-700 min-w-80 w-80 p-5 pt-18 min-h-screen select-none">
-      {barItems.map((item) => (
-        <Link to={item.pathname} key={item.tab}>
+      {barItems.map((item, index) =>
+        item.type !== "delimiter" ? (
+          <Link to={item.pathname} key={item.tab}>
+            <div
+              className={`dark:text-gray-200 transition-colors text-sm cursor-pointer p-4 rounded-lg flex flex-row items-center gap-3${
+                isActive(item) ? " bg-gray-200 dark:bg-gray-900" : ""
+              }`}
+            >
+              {item.icon} {item.title}
+            </div>
+          </Link>
+        ) : (
           <div
-            className={`dark:text-gray-200 transition-colors text-sm cursor-pointer p-4 rounded-lg flex flex-row items-center gap-3${
-              isActive(item) ? " bg-gray-200 dark:bg-gray-900" : ""
-            }`}
+            key={item.key}
+            className={`flex flex-row items-center gap-4 my-2 ${index === 0 ? "mt-0" : "mt-4"}`}
           >
-            {item.icon} {item.title}
+            <div className="w-full h-[2px] rounded-lg bg-gray-800"></div>
+            {typeof item.title === "string" && (
+              <p className="text-gray-800 dark:text-gray-400 text-sm">
+                {item.title}
+              </p>
+            )}
+            <div className="w-full h-[2px] rounded-lg bg-gray-800"></div>
           </div>
-        </Link>
-      ))}
+        ),
+      )}
     </div>
   );
 };

web/src/components/Home/TopBar/index.tsx

@@ -7,19 +7,21 @@ const TopBar: FC = () => {
 
   return (
     <div className="sm:hidden flex w-full overflow-x-auto sm:overflow-x-visible max-w-full min-w-full sm:justify-center sm:space-x-4 no-scrollbar shadow-md shadow-gray-300 dark:shadow-gray-700 dark:bg-black/70 bg-white/70">
-      {barItems.map((item) => (
-        <Link to={item.pathname} key={item.tab}>
-          <div
-            className={`flex-shrink-0 transition-all border-b-4 px-4 py-2 min-w-[120px] sm:min-w-0 sm:flex-1 flex items-center justify-center cursor-pointer select-none whitespace-nowrap text-sm font-medium ${
-              isActive(item)
-                ? " border-b-4 border-b-blue-500 text-blue-500"
-                : " border-b-transparent text-gray-500"
-            }`}
-          >
-            {item.title}
-          </div>
-        </Link>
-      ))}
+      {barItems
+        .filter((item) => item.type !== "delimiter")
+        .map((item) => (
+          <Link to={item.pathname} key={item.tab}>
+            <div
+              className={`flex-shrink-0 transition-all border-b-4 px-4 py-2 min-w-[120px] sm:min-w-0 sm:flex-1 flex items-center justify-center cursor-pointer select-none whitespace-nowrap text-sm font-medium ${
+                isActive(item)
+                  ? " border-b-4 border-b-blue-500 text-blue-500"
+                  : " border-b-transparent text-gray-500"
+              }`}
+            >
+              {item.title}
+            </div>
+          </Link>
+        ))}
     </div>
   );
 };

web/src/components/ui/pagination.tsx

@@ -0,0 +1,64 @@
+import { ArrowLeft, ArrowRight } from "lucide-react";
+import React, { useCallback } from "react";
+import { Button } from "./button";
+
+type PaginationProps = {
+  currentPage: number;
+  totalPages: number;
+  onPageChange: (page: number) => void;
+};
+
+const Pagination: React.FC<PaginationProps> = ({
+  currentPage,
+  totalPages,
+  onPageChange,
+}) => {
+  const getPageNumbers = useCallback(() => {
+    const delta = 2;
+    const pages = [];
+
+    for (
+      let i = Math.max(1, currentPage - delta);
+      i <= Math.min(totalPages, currentPage + delta);
+      i++
+    ) {
+      pages.push(i);
+    }
+
+    return pages;
+  }, [currentPage, totalPages]);
+
+  if (totalPages <= 1) return null;
+
+  return (
+    <nav className="flex justify-center items-center gap-2 mt-4">
+      <Button
+        onClick={() => onPageChange(currentPage - 1)}
+        disabled={currentPage === 1}
+        variant="outlined"
+      >
+        <ArrowLeft size={17} />
+      </Button>
+
+      {getPageNumbers().map((page) => (
+        <Button
+          key={page}
+          onClick={() => onPageChange(page)}
+          variant={page === currentPage ? "contained" : "outlined"}
+        >
+          <p className="text-sm">{page}</p>
+        </Button>
+      ))}
+
+      <Button
+        onClick={() => onPageChange(currentPage + 1)}
+        disabled={currentPage === totalPages}
+        variant="outlined"
+      >
+        <ArrowRight size={17} />
+      </Button>
+    </nav>
+  );
+};
+
+export default Pagination;

web/src/hooks/barItems.tsx

@@ -1,21 +1,31 @@
 import { useAuth } from "@/store/auth";
-import { Blocks, Home, Settings2, User, Users } from "lucide-react";
+import { Blocks, EarthLock, Home, User, UserLock, Users } from "lucide-react";
 import { useCallback, type ReactNode } from "react";
 import { useLocation } from "react-router";
 
+export interface BarDelimiter {
+  type: "delimiter";
+  key: string;
+  title?: string;
+}
+
 export interface BarItem {
+  type?: "nav";
   icon: ReactNode;
   title: string;
   tab: string;
   pathname: string;
 }
 
-export const useBarItems = (): [BarItem[], (item: BarItem) => boolean] => {
+export type Item = BarItem | BarDelimiter;
+
+export const useBarItems = (): [Item[], (item: Item) => boolean] => {
   const profile = useAuth((state) => state.profile);
   const location = useLocation();
 
   const isActive = useCallback(
-    (item: BarItem) => {
+    (item: Item) => {
+      if (item.type === "delimiter") return false;
       if (item.pathname === "/") return location.pathname === item.pathname;
       return location.pathname.startsWith(item.pathname);
     },
@@ -28,6 +38,11 @@ export const useBarItems = (): [BarItem[], (item: BarItem) => boolean] => {
 
   return [
     [
+      {
+        type: "delimiter" as const,
+        title: "Basic",
+        key: "basic-del",
+      },
       {
         icon: <Home />,
         title: "Home",
@@ -40,14 +55,20 @@ export const useBarItems = (): [BarItem[], (item: BarItem) => boolean] => {
         tab: "personal-info",
         pathname: "/personal-info",
       },
-      {
-        icon: <Settings2 />,
-        title: "Data & Personalization",
-        tab: "data-personalization",
-        pathname: "/data-personalize",
-      },
+      // TODO:
+      // {
+      //   icon: <Settings2 />,
+      //   title: "Data & Personalization",
+      //   tab: "data-personalization",
+      //   pathname: "/data-personalize",
+      // },
       ...(profile.is_admin
         ? [
+            {
+              type: "delimiter" as const,
+              title: "Admin",
+              key: "admin-del",
+            },
             {
               icon: <Blocks />,
               title: "API Services",
@@ -60,6 +81,18 @@ export const useBarItems = (): [BarItem[], (item: BarItem) => boolean] => {
               tab: "admin.users",
               pathname: "/admin/users",
             },
+            {
+              icon: <UserLock />,
+              title: "User Sessions",
+              tab: "admin.user-sessions",
+              pathname: "/admin/user-sessions",
+            },
+            {
+              icon: <EarthLock />,
+              title: "Service Sessions",
+              tab: "admin.service-sessions",
+              pathname: "/admin/service-sessions",
+            },
           ]
         : []),
     ],

web/src/pages/Admin/ApiServices/Create/index.tsx

@@ -33,9 +33,9 @@ const ApiServiceCreatePage: FC = () => {
   const credentials = useApiServices((state) => state.createdCredentials);
 
   const onSubmit = useCallback(
-    (data: FormData) => {
+    async (data: FormData) => {
       console.log("Form submitted:", data);
-      createApiService({
+      await createApiService({
         name: data.name,
         description: data.description ?? "",
         redirect_uris: data.redirectUris.trim().split("\n"),
@@ -45,6 +45,9 @@ const ApiServiceCreatePage: FC = () => {
           : ["authorization_code"],
         is_active: data.enabled,
       });
+      // if (success) {
+      //   navigate("/admin/api-services");
+      // }
     },
     [createApiService],
   );

web/src/pages/Admin/ServiceSessions/index.tsx

@@ -0,0 +1,214 @@
+import Breadcrumbs from "@/components/ui/breadcrumbs";
+import { Button } from "@/components/ui/button";
+import Avatar from "@/feature/Avatar";
+import { Ban } from "lucide-react";
+import { useCallback, useEffect, type FC } from "react";
+import { Link } from "react-router";
+import moment from "moment";
+import Pagination from "@/components/ui/pagination";
+import { useAuth } from "@/store/auth";
+import { useServiceSessions } from "@/store/admin/serviceSessions";
+
+const AdminServiceSessionsPage: FC = () => {
+  const loading = useServiceSessions((s) => s.loading);
+  const sessions = useServiceSessions((s) => s.items);
+
+  const page = useServiceSessions((s) => s.page);
+  const totalPages = useServiceSessions((s) => s.totalPages);
+
+  const fetchSessions = useServiceSessions((s) => s.fetch);
+  const revokeSession = useServiceSessions((s) => s.revoke);
+
+  const revokingId = useServiceSessions((s) => s.revokingId);
+
+  const profile = useAuth((s) => s.profile);
+
+  const handleRevokeSession = useCallback(
+    (id: string) => {
+      revokeSession(id);
+    },
+    [revokeSession],
+  );
+
+  useEffect(() => {
+    fetchSessions(1);
+  }, [fetchSessions]);
+
+  return (
+    <div className="relative flex flex-col items-stretch w-full">
+      <div className="p-4">
+        <Breadcrumbs
+          className="pb-2"
+          items={[
+            {
+              href: "/admin",
+              label: "Admin",
+            },
+            {
+              label: "Service Sessions",
+            },
+          ]}
+        />
+      </div>
+      <div className="p-4 flex flex-row items-center justify-between">
+        <p className="text-gray-800 dark:text-gray-300">Search...</p>
+        {/* TODO: Filters */}
+      </div>
+
+      <div className="flex-1 overflow-x-auto">
+        <table className="relative min-w-full border-l-0 border border-gray-300 dark:border-gray-700 border-collapse divide-y divide-gray-200 dark:divide-gray-800">
+          {loading && (
+            <div className="absolute inset-0 z-10 flex items-center justify-center bg-white/60 dark:bg-gray-900/60 backdrop-blur-sm">
+              <div className="text-gray-800 dark:text-gray-200 font-medium">
+                Loading...
+              </div>
+            </div>
+          )}
+
+          <thead className="bg-black/5 dark:bg-white/5 text-nowrap">
+            <tr>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Service
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                User + IP
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Status
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Issued At
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Expires At
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Last Active
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Revoked At
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Actions
+              </th>
+            </tr>
+          </thead>
+          <tbody className="divide-y divide-gray-200 dark:divide-gray-700">
+            {!loading && sessions.length === 0 ? (
+              <tr>
+                <td
+                  colSpan={5}
+                  className="px-6 py-12 text-center text-gray-500 dark:text-gray-400"
+                >
+                  No sessions found.
+                </td>
+              </tr>
+            ) : (
+              sessions.map((session) => (
+                <tr
+                  key={session.id}
+                  className="hover:bg-gray-50 dark:hover:bg-gray-800"
+                >
+                  <td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
+                    {/* <SessionSource deviceInfo={session.} /> */}
+                    {typeof session.api_service?.icon_url === "string" && (
+                      <Avatar
+                        avatarId={session.api_service.icon_url}
+                        className="w-7 h-7 min-w-7"
+                      />
+                    )}
+                    <Link to={`/admin/api-services/view/${session.service_id}`}>
+                      <p className="cursor-pointer text-blue-500 text-nowrap">
+                        {session.api_service?.name ?? session.client_id}
+                      </p>
+                    </Link>
+                  </td>
+
+                  <td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
+                    <div className="flex flex-col items-stretch gap-2 justify-start">
+                      <div className="flex flex-row items-center gap-2 justify-start">
+                        {typeof session.user?.profile_picture === "string" && (
+                          <Avatar
+                            avatarId={session.user.profile_picture}
+                            className="w-7 h-7 min-w-7"
+                          />
+                        )}
+
+                        <div className="flex flex-col items-stretch justify-center">
+                          <Link to={`/admin/users/view/${session.user_id}`}>
+                            <p className="cursor-pointer text-blue-500 text-nowrap">
+                              {session.user?.full_name ?? ""}{" "}
+                              {session.user_id === profile?.id ? "(You)" : ""}
+                            </p>
+                          </Link>
+                          <p className="opacity-75">
+                            {session.ip_address ?? "No IP available"}
+                          </p>
+                        </div>
+                      </div>
+                    </div>
+                  </td>
+                  <td className="px-5 py-3 text-sm border border-gray-300 dark:border-gray-700">
+                    <span
+                      className={`inline-block px-2 py-1 text-xs rounded-full font-semibold ${
+                        !session.is_active ||
+                        (session.expires_at &&
+                          moment(session.expires_at).isSameOrBefore(
+                            moment(new Date()),
+                          ))
+                          ? "bg-red-100 text-red-800 dark:bg-red-900 dark:text-red-300"
+                          : "bg-green-100 text-green-800 dark:bg-green-900 dark:text-green-300"
+                      }`}
+                    >
+                      {session.is_active ? "Active" : "Inactive"}
+                      {moment(session.expires_at).isSameOrBefore(
+                        moment(new Date()),
+                      ) && " (Expired)"}
+                    </span>
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                    {moment(session.issued_at).format("LLLL")}
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                    {session.expires_at
+                      ? moment(session.expires_at).format("LLLL")
+                      : "never"}
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                    {session.last_active
+                      ? moment(session.last_active).format("LLLL")
+                      : "never"}
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                    {session.revoked_at
+                      ? new Date(session.revoked_at).toLocaleString()
+                      : "never"}
+                  </td>
+                  <td>
+                    <div className="flex flex-row items-center justify-center gap-2">
+                      <Button
+                        variant="contained"
+                        className="bg-red-500 hover:bg-red-600 !px-1.5 !py-1.5"
+                        onClick={() => handleRevokeSession(session.id)}
+                        disabled={revokingId === session.id}
+                      >
+                        <Ban size={18} />
+                      </Button>
+                    </div>
+                  </td>
+                </tr>
+              ))
+            )}
+          </tbody>
+        </table>
+      </div>
+      <Pagination
+        currentPage={page}
+        onPageChange={(newPage) => fetchSessions(newPage)}
+        totalPages={totalPages}
+      />
+    </div>
+  );
+};
+
+export default AdminServiceSessionsPage;

web/src/pages/Admin/UserSessions/index.tsx

@@ -0,0 +1,209 @@
+import Breadcrumbs from "@/components/ui/breadcrumbs";
+import { Button } from "@/components/ui/button";
+import Avatar from "@/feature/Avatar";
+import type { DeviceInfo } from "@/types";
+import { Ban } from "lucide-react";
+import { useCallback, useEffect, useMemo, type FC } from "react";
+import { Link } from "react-router";
+import moment from "moment";
+import Pagination from "@/components/ui/pagination";
+import { useUserSessions } from "@/store/admin/userSessions";
+import { useAuth } from "@/store/auth";
+
+const SessionSource: FC<{ deviceInfo: string }> = ({ deviceInfo }) => {
+  const parsed = useMemo<DeviceInfo>(
+    () => JSON.parse(atob(deviceInfo)),
+    [deviceInfo],
+  );
+
+  return (
+    <p>
+      {parsed.os} {parsed.os_version} {parsed.browser} {parsed.browser_version}
+    </p>
+  );
+};
+
+const AdminUserSessionsPage: FC = () => {
+  const loading = useUserSessions((s) => s.loading);
+  const sessions = useUserSessions((s) => s.items);
+
+  const page = useUserSessions((s) => s.page);
+  const totalPages = useUserSessions((s) => s.totalPages);
+
+  const fetchSessions = useUserSessions((s) => s.fetch);
+  const revokeSession = useUserSessions((s) => s.revoke);
+
+  const revokingId = useUserSessions((s) => s.revokingId);
+
+  const profile = useAuth((s) => s.profile);
+
+  const handleRevokeSession = useCallback(
+    (id: string) => {
+      revokeSession(id);
+    },
+    [revokeSession],
+  );
+
+  useEffect(() => {
+    fetchSessions(1);
+  }, [fetchSessions]);
+
+  return (
+    <div className="relative flex flex-col items-stretch w-full">
+      <div className="p-4">
+        <Breadcrumbs
+          className="pb-2"
+          items={[
+            {
+              href: "/admin",
+              label: "Admin",
+            },
+            {
+              label: "User Sessions",
+            },
+          ]}
+        />
+      </div>
+      <div className="p-4 flex flex-row items-center justify-between">
+        <p className="text-gray-800 dark:text-gray-300">Search...</p>
+        {/* TODO: Filters */}
+      </div>
+
+      <div className="flex-1 overflow-x-auto">
+        <table className="relative min-w-full border-l-0 border border-gray-300 dark:border-gray-700 border-collapse divide-y divide-gray-200 dark:divide-gray-800">
+          {loading && (
+            <div className="absolute inset-0 z-10 flex items-center justify-center bg-white/60 dark:bg-gray-900/60 backdrop-blur-sm">
+              <div className="text-gray-800 dark:text-gray-200 font-medium">
+                Loading...
+              </div>
+            </div>
+          )}
+
+          <thead className="bg-black/5 dark:bg-white/5 text-nowrap">
+            <tr>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                User
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Source
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Status
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Issued At
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Expires At
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Last Active
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Revoked At
+              </th>
+              <th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
+                Actions
+              </th>
+            </tr>
+          </thead>
+          <tbody className="divide-y divide-gray-200 dark:divide-gray-700">
+            {!loading && sessions.length === 0 ? (
+              <tr>
+                <td
+                  colSpan={5}
+                  className="px-6 py-12 text-center text-gray-500 dark:text-gray-400"
+                >
+                  No sessions found.
+                </td>
+              </tr>
+            ) : (
+              sessions.map((session) => (
+                <tr
+                  key={session.id}
+                  className="hover:bg-gray-50 dark:hover:bg-gray-800"
+                >
+                  <td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
+                    <div className="flex flex-row items-center gap-2 justify-start">
+                      {typeof session.user?.profile_picture === "string" && (
+                        <Avatar
+                          avatarId={session.user.profile_picture}
+                          className="w-7 h-7 min-w-7"
+                        />
+                      )}
+
+                      <Link to={`/admin/users/view/${session.user_id}`}>
+                        <p className="cursor-pointer text-blue-500 text-nowrap">
+                          {session.user?.full_name ?? ""}{" "}
+                          {session.user_id === profile?.id ? "(You)" : ""}
+                        </p>
+                      </Link>
+                    </div>
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
+                    <SessionSource deviceInfo={session.device_info} />
+                  </td>
+                  <td className="px-5 py-3 text-sm border border-gray-300 dark:border-gray-700">
+                    <span
+                      className={`inline-block px-2 py-1 text-xs rounded-full font-semibold ${
+                        !session.is_active ||
+                        (session.expires_at &&
+                          moment(session.expires_at).isSameOrBefore(
+                            moment(new Date()),
+                          ))
+                          ? "bg-red-100 text-red-800 dark:bg-red-900 dark:text-red-300"
+                          : "bg-green-100 text-green-800 dark:bg-green-900 dark:text-green-300"
+                      }`}
+                    >
+                      {session.is_active ? "Active" : "Inactive"}
+                      {moment(session.expires_at).isSameOrBefore(
+                        moment(new Date()),
+                      ) && " (Expired)"}
+                    </span>
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                    {moment(session.issued_at).format("LLLL")}
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                    {session.expires_at
+                      ? moment(session.expires_at).format("LLLL")
+                      : "never"}
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                    {session.last_active
+                      ? moment(session.last_active).format("LLLL")
+                      : "never"}
+                  </td>
+                  <td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
+                    {session.revoked_at
+                      ? new Date(session.revoked_at).toLocaleString()
+                      : "never"}
+                  </td>
+                  <td>
+                    <div className="flex flex-row items-center justify-center gap-2">
+                      <Button
+                        variant="contained"
+                        className="bg-red-500 hover:bg-red-600 !px-1.5 !py-1.5"
+                        onClick={() => handleRevokeSession(session.id)}
+                        disabled={revokingId === session.id}
+                      >
+                        <Ban size={18} />
+                      </Button>
+                    </div>
+                  </td>
+                </tr>
+              ))
+            )}
+          </tbody>
+        </table>
+      </div>
+      <Pagination
+        currentPage={page}
+        onPageChange={(newPage) => fetchSessions(newPage)}
+        totalPages={totalPages}
+      />
+    </div>
+  );
+};
+
+export default AdminUserSessionsPage;

web/src/pages/Admin/Users/Create/index.tsx

@@ -4,7 +4,7 @@ import { Input } from "@/components/ui/input";
 import { useUsers } from "@/store/admin/users";
 import { useCallback, type FC } from "react";
 import { useForm } from "react-hook-form";
-import { Link } from "react-router";
+import { Link, useNavigate } from "react-router";
 
 interface FormData {
   fullName: string;
@@ -24,17 +24,22 @@ const AdminCreateUserPage: FC = () => {
 
   const createUser = useUsers((state) => state.createUser);
 
+  const navigate = useNavigate();
+
   const onSubmit = useCallback(
-    (data: FormData) => {
+    async (data: FormData) => {
       console.log("Form submitted:", data);
-      createUser({
+      const success = await createUser({
         email: data.email,
         full_name: data.fullName,
         password: data.password,
         is_admin: data.isAdmin,
       });
+      if (success) {
+        navigate("/admin/users");
+      }
     },
-    [createUser],
+    [createUser, navigate],
   );
 
   return (

web/src/pages/Login/index.tsx

@@ -62,8 +62,9 @@ export default function LoginPage() {
       } catch (err: any) {
         console.log(err);
         setError(
-          "Failed to create account. " +
-            (err.message ?? "Unexpected error happened"),
+          err.response?.data?.error ??
+            err.message ??
+            "Unexpected error happened",
         );
       } finally {
         setLoading(false);

web/src/store/admin/apiServices.ts

@@ -22,7 +22,7 @@ interface IApiServicesState {
 
   fetch: () => Promise<void>;
   fetchSingle: (id: string) => Promise<void>;
-  create: (req: CreateApiServiceRequest) => Promise<void>;
+  create: (req: CreateApiServiceRequest) => Promise<boolean>;
   resetCredentials: () => void;
 
   toggling: boolean;
@@ -117,11 +117,12 @@ export const useApiServices = create<IApiServicesState>((set, get) => ({
 
     try {
       const response = await postApiService(req);
-      set({ createdCredentials: response.credentials });
+      set({ createdCredentials: response.credentials, creating: false });
+      return true;
     } catch (err) {
       console.log("ERR: Failed to fetch services:", err);
-    } finally {
       set({ creating: false });
+      return false;
     }
   },
 }));

web/src/store/admin/serviceSessions.ts

@@ -0,0 +1,59 @@
+import {
+  adminGetServiceSessionsApi,
+  adminRevokeServiceSessionApi,
+} from "@/api/admin/sessions";
+import type { ServiceSession } from "@/types";
+import { create } from "zustand";
+
+export const ADMIN_SERVICE_SESSIONS_PAGE_SIZE = 10;
+
+export interface IServiceSessionsState {
+  items: ServiceSession[];
+  totalPages: number;
+  page: number;
+
+  loading: boolean;
+
+  revokingId: string | null;
+
+  fetch: (page: number) => Promise<void>;
+  revoke: (id: string) => Promise<void>;
+}
+
+export const useServiceSessions = create<IServiceSessionsState>((set, get) => ({
+  items: [],
+  totalPages: 0,
+  page: 1,
+  loading: false,
+  revokingId: null,
+
+  fetch: async (page) => {
+    set({ loading: true, page });
+
+    try {
+      const response = await adminGetServiceSessionsApi({
+        page,
+        size: ADMIN_SERVICE_SESSIONS_PAGE_SIZE,
+      });
+      set({ items: response.items, totalPages: response.total_pages });
+    } catch (err) {
+      console.log("ERR: Failed to fetch admin service sessions:", err);
+    } finally {
+      set({ loading: false });
+    }
+  },
+
+  revoke: async (id) => {
+    set({ revokingId: id });
+
+    try {
+      await adminRevokeServiceSessionApi(id);
+    } catch (err) {
+      console.log("ERR: Failed to revoke service sessions:", err);
+    } finally {
+      set({ revokingId: null });
+      const { fetch, page } = get();
+      await fetch(page);
+    }
+  },
+}));

web/src/store/admin/userSessions.ts

@@ -0,0 +1,59 @@
+import {
+  adminGetUserSessionsApi,
+  adminRevokeUserSessionApi,
+} from "@/api/admin/sessions";
+import type { UserSession } from "@/types";
+import { create } from "zustand";
+
+export const ADMIN_USER_SESSIONS_PAGE_SIZE = 10;
+
+export interface IUserSessionsState {
+  items: UserSession[];
+  totalPages: number;
+  page: number;
+
+  loading: boolean;
+
+  revokingId: string | null;
+
+  fetch: (page: number) => Promise<void>;
+  revoke: (id: string) => Promise<void>;
+}
+
+export const useUserSessions = create<IUserSessionsState>((set, get) => ({
+  items: [],
+  totalPages: 0,
+  page: 1,
+  loading: false,
+  revokingId: null,
+
+  fetch: async (page) => {
+    set({ loading: true, page });
+
+    try {
+      const response = await adminGetUserSessionsApi({
+        page,
+        size: ADMIN_USER_SESSIONS_PAGE_SIZE,
+      });
+      set({ items: response.items, totalPages: response.total_pages });
+    } catch (err) {
+      console.log("ERR: Failed to fetch admin user sessions:", err);
+    } finally {
+      set({ loading: false });
+    }
+  },
+
+  revoke: async (id) => {
+    set({ revokingId: id });
+
+    try {
+      await adminRevokeUserSessionApi(id);
+    } catch (err) {
+      console.log("ERR: Failed to revoke user sessions:", err);
+    } finally {
+      set({ revokingId: null });
+      const { fetch, page } = get();
+      await fetch(page);
+    }
+  },
+}));

web/src/store/admin/users.ts

@@ -15,7 +15,7 @@ export interface IUsersState {
   fetchingCurrent: boolean;
 
   creating: boolean;
-  createUser: (req: CreateUserRequest) => Promise<void>;
+  createUser: (req: CreateUserRequest) => Promise<boolean>;
 
   fetchUsers: () => Promise<void>;
   fetchUser: (id: string) => Promise<void>;
@@ -36,10 +36,12 @@ export const useUsers = create<IUsersState>((set) => ({
     try {
       const response = await postUser(req);
       console.log("INFO: User has been created:", response);
+      set({ creating: false });
+      return true;
     } catch (err) {
       console.log("ERR: Failed to create user:", err);
-    } finally {
       set({ creating: false });
+      return false;
     }
   },
 

web/src/types/index.ts

@@ -31,3 +31,50 @@ export interface ApiServiceCredentials {
   client_id: string;
   client_secret: string;
 }
+
+export interface ServiceSession {
+  id: string;
+  service_id: string;
+  api_service?: ApiService | null;
+  client_id: string;
+  user_id?: string | null;
+  user?: UserProfile | null;
+  issued_at: string;
+  expires_at?: string | null;
+  last_active?: string | null;
+  ip_address?: string | null;
+  user_agent?: string | null;
+  access_token_id?: string | null;
+  refresh_token_id?: string | null;
+  is_active: boolean;
+  revoked_at?: string | null;
+  scope?: string | null;
+  claims: string; // base64 encoded
+}
+
+export interface UserSession {
+  id: string;
+  user_id: string;
+  user?: UserProfile | null;
+  session_type: string; // "user" | "admin"
+  issued_at: string;
+  expires_at?: string | null;
+  last_active?: string | null;
+  ip_address?: string | null;
+  user_agent?: string | null;
+  access_token_id?: string | null;
+  refresh_token_id?: string | null;
+  device_info: string; // base64 encoded
+  is_active: boolean;
+  revoked_at?: string | null;
+}
+
+export interface DeviceInfo {
+  os: string;
+  os_version: string;
+  device_name: string;
+  device_type: string;
+  location: string;
+  browser: string;
+  browser_version: string;
+}