Revocable sessions (#3616)

* feat: Revocable sessions

* fix: Tests using sign_in

* feat: Configuration entry for the maximum number of session activations

2 files changed, 21 insertions, 0 deletions

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 4754c2c8c..6d3a73ef6 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -1,3 +1,19 @@
+Warden::Manager.after_set_user except: :fetch do |user, warden|
+  SessionActivation.deactivate warden.raw_session['auth_id']
+  warden.raw_session['auth_id'] = user.activate_session
+end
+
+Warden::Manager.after_fetch do |user, warden|
+  unless user.session_active?(warden.raw_session['auth_id'])
+    warden.logout
+    throw :warden, message: :unauthenticated
+  end
+end
+
+Warden::Manager.before_logout do |_, warden|
+  SessionActivation.deactivate warden.raw_session['auth_id']
+end
+
 Devise.setup do |config|
   config.warden do |manager|
     manager.default_strategies(scope: :user).unshift :two_factor_authenticatable
diff --git a/config/initializers/session_activations.rb b/config/initializers/session_activations.rb
new file mode 100644
index 000000000..ff3efc852
--- /dev/null
+++ b/config/initializers/session_activations.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+Rails.application.configure do
+  config.x.max_session_activations = ENV['MAX_SESSION_ACTIVATIONS'] || 10
+end