feat(auth/sessions): list-all gate + revoke-all-except-current (MED-1/2/3)

Audit 2026-05-10 Fix 13 Phase A — close MED-1, MED-2, MED-3. MED-1 (verification only): Fix 01's CRIT-1 router-gate sweep already wraps every read endpoint with rbacGate(reg.Checker, '<resource>.read', ...). Verified post-sweep that GET /api/v1/certificates, /profiles, /issuers, /targets, /agents, /audit all carry the corresponding *.read permission gate. MED-2: ListSessions now gates ?actor_id=<other> on auth.session.list.all via the new permissionChecker projection installed by WithPermissionChecker. cmd/server/main.go threads the existing authCheckerAdapter into the handler. When caller's actor_id != caller.ActorID AND the handler has a checker, an inline CheckPermission(..., 'auth.session.list.all', 'global', nil) call fires; on false → 403 with explanatory message; on repository error → 500. Defense-in-depth: the router-level rbacGate enforces auth.session.list as the floor; the .list.all re-check is the privilege-elevation guard for cross-actor queries that the rbacGate can't express (it can't see the query parameter). MED-3: ship DELETE /api/v1/auth/sessions?except=current — the 'sign out all other sessions' flow. Gated by auth.session.revoke; the handler reads the caller's current session ID from session.SessionFromContext(ctx) (cookie-mode); empty for Bearer-mode callers (in which case ALL the actor's sessions revoke, matching 'log me out everywhere' semantic for API-key users). New repository method SessionRepository.RevokeAllExceptForActor: UPDATE sessions SET revoked_at = NOW() WHERE actor_id = AND actor_type = AND tenant_id = AND revoked_at IS NULL AND id != returning rowcount. Added to the interface in internal/repository/session.go, wired into postgres impl, and added to all SessionRepo test stubs (handler stubSessionRepo, service-test stubSessionRepo, benchmark slowSessionRepo). The session.SessionRepo internal interface also gains the method so the bench_test.go forwarder compiles. Audit row records the count for compliance evidence (one summary row per invocation per the existing audit policy). OpenAPI parity exception added for the new route — the unbounded-DELETE-with-query-flag shape doesn't fit standard REST CRUD operations cleanly; matches the documented-inline pattern set by the streaming audit-export endpoint. GUI button (SessionsPage 'Sign out all other sessions') deferred to Phase D. Refs: cowork/auth-bundles-audit-2026-05-10.md MED-1, MED-2, MED-3 Spec: cowork/auth-bundles-fixes-2026-05-10/13-med-bundle.md Phase A
2026-06-07 13:51:36 +00:00 · 2026-05-10 21:49:35 +00:00
parent 912ec3f547
commit ba0959ddc7
10 changed files with 168 additions and 15 deletions
@@ -180,6 +180,27 @@ func (r *SessionRepository) RevokeAllForActor(ctx context.Context, actorID, acto
 	return nil
 }

+// RevokeAllExceptForActor sets revoked_at = NOW() on every active
+// session for an actor EXCEPT the named exceptSessionID. Returns the
+// count of rows revoked. Audit 2026-05-10 MED-3 closure — backs the
+// "Sign out all other sessions" flow on SessionsPage. exceptSessionID
+// is the caller's current session ID (read from context); passing
+// empty exceptID falls through to RevokeAllForActor semantics
+// (revoke literally all).
+func (r *SessionRepository) RevokeAllExceptForActor(ctx context.Context, actorID, actorType, tenantID, exceptSessionID string) (int, error) {
+	res, err := r.db.ExecContext(ctx, `
+		UPDATE sessions SET revoked_at = NOW()
+		WHERE actor_id = $1 AND actor_type = $2 AND tenant_id = $3
+		  AND revoked_at IS NULL
+		  AND id != $4`,
+		actorID, actorType, tenantID, exceptSessionID)
+	if err != nil {
+		return 0, fmt.Errorf("sessions revoke_all_except_for_actor: %w", err)
+	}
+	n, _ := res.RowsAffected()
+	return int(n), nil
+}
+
 // GarbageCollectExpired deletes:
 //   - Sessions whose absolute_expires_at < NOW() (post-login expired).
 //   - Pre-login sessions older than 10 minutes.
@@ -77,6 +77,12 @@ type SessionRepository interface {
 	// the back-channel logout endpoint (Phase 5).
 	RevokeAllForActor(ctx context.Context, actorID, actorType, tenantID string) error

+	// RevokeAllExceptForActor sets revoked_at = NOW() on every active
+	// session for an actor EXCEPT the named exceptSessionID. Returns
+	// the count of rows revoked. Audit 2026-05-10 MED-3 closure —
+	// backs the "Sign out all other sessions" SessionsPage button.
+	RevokeAllExceptForActor(ctx context.Context, actorID, actorType, tenantID, exceptSessionID string) (int, error)
+
 	// GarbageCollectExpired deletes sessions whose absolute expiry
 	// has passed AND whose revoked_at is older than the configurable
 	// retention window (default 24h). Pre-login rows older than the