feat: revoke user sessions above threshold (#8731)

* feat: revoke user sessions above threshold * fix: removed translations from en-US * fix: defined default maxUserSessions in install\data\defaults.json
2025-10-26 08:36:12 +01:00 · 2020-10-08 23:33:18 +02:00
parent 4a63c20a72
commit b3ed26ac2c
4 changed files with 20 additions and 1 deletions
--- a/install/data/defaults.json
+++ b/install/data/defaults.json
@@ -133,5 +133,6 @@
    "timeagoCutoff": 30,
    "necroThreshold": 7,
    "categoryWatchState": "watching",
-    "submitPluginUsage": 1
+    "submitPluginUsage": 1,
+    "maxUserSessions": 10
 }
--- a/public/language/en-GB/admin/settings/cookies.json
+++ b/public/language/en-GB/admin/settings/cookies.json
@@ -8,5 +8,6 @@
 	"consent.blank-localised-default": "Leave blank to use NodeBB localised defaults",
 	"settings": "Settings",
 	"cookie-domain": "Session cookie domain",
+	"max-user-sessions": "Max active sessions per user",
 	"blank-default": "Leave blank for default"
 }
--- a/src/user/auth.js
+++ b/src/user/auth.js
@@ -107,9 +107,18 @@ module.exports = function (User) {
 			return;
 		}
 		await cleanExpiredSessions(uid);
+		await revokeSessionsAboveThreshold(uid, meta.config.maxUserSessions);
 		await db.sortedSetAdd('uid:' + uid + ':sessions', Date.now(), sessionId);
 	};

+	async function revokeSessionsAboveThreshold(uid, maxUserSessions) {
+		const activeSessions = await db.getSortedSetRange('uid:' + uid + ':sessions', 0, -1);
+		if (activeSessions.length > maxUserSessions) {
+			const sessionsToRevoke = activeSessions.slice(0, activeSessions.length - maxUserSessions);
+			await Promise.all(sessionsToRevoke.map(sessionId => User.auth.revokeSession(sessionId, uid)));
+		}
+	}
+
 	User.auth.revokeSession = async function (sessionId, uid) {
 		winston.verbose('[user.auth] Revoking session ' + sessionId + ' for user ' + uid);
 		const sessionObj = await getSessionFromStore(sessionId);
--- a/src/views/admin/settings/cookies.tpl
+++ b/src/views/admin/settings/cookies.tpl
@@ -53,6 +53,14 @@
 				</p>
 			</div>

+			<div class="form-group">
+				<label for="maxUserSessions">[[admin/settings/cookies:max-user-sessions]]</label>
+				<input class="form-control" id="maxUserSessions" type="number" placeholder="10" data-field="maxUserSessions" /><br />
+				<p class="help-block">
+					[[admin/settings/cookies:blank-default]]
+				</p>
+			</div>
+
 			<div class="form-group">
 				<button id="delete-all-sessions" class="btn btn-danger">Revoke All Sessions</button>
 				<p class="help-block">