Problem
Current session model includes:
deviceId: { type: String, required: true },
ip: String,
userAgent: String,
lastActiveAt: { type: Date, default: Date.now }But deviceId strategy is incomplete for production use.
Browsers do not expose a true hardware device ID, so we need a secure production-grade solution for:
- Device identification
- Active session tracking
- Session management
- Logout from current device
- Logout from all devices
- Device location metadata
- Suspicious login detection
- Token/session invalidation
Proposed Solution
Implement a proper device/session management system.
Add fields to session model
userId
sessionId
deviceId
deviceName
browser
os
ip
location
userAgent
refreshTokenHash
isActive
lastActiveAt
createdAt
Device Identification
Use fingerprint-based device identification instead of hardware device IDs.
Evaluate:
- FingerprintJS
- UUID + trusted device registration
- Hybrid fingerprint + session-based approach
Required Features
Active Sessions
Users should see:
- Current device
- Other logged-in devices
- Last active timestamp
- IP
- Approximate location
- Browser / OS
Logout Support
Implement:
- Logout current device
- Logout single selected device
- Logout all devices
This should revoke refresh tokens and invalidate sessions server-side.
Location Support
Add approximate geo lookup from IP:
Possible providers:
- MaxMind
- ipapi
- mmdb-lib
- ipinfo
Store:
Security Considerations
Need protection for:
- Refresh token theft
- Session hijacking
- Suspicious IP change
- Device spoofing
- Stolen persistent sessions
Consider:
- Hashed refresh tokens
- Session rotation
- Device trust flags
- Risk detection
API Endpoints Needed
GET /sessions
DELETE /sessions/current
DELETE /sessions/:id
DELETE /sessions/logout-all
Acceptance Criteria
-
Production-grade device identification implemented
-
Multi-device session tracking works
-
Active sessions visible to users
-
Logout current device works
-
Logout all devices works
-
Location metadata stored
-
Refresh token revocation implemented
-
Security review completed
Notes
This should be designed similar to:
Problem
Current session model includes:
But
deviceIdstrategy is incomplete for production use.Browsers do not expose a true hardware device ID, so we need a secure production-grade solution for:
Proposed Solution
Implement a proper device/session management system.
Add fields to session model
Device Identification
Use fingerprint-based device identification instead of hardware device IDs.
Evaluate:
Required Features
Active Sessions
Users should see:
Logout Support
Implement:
This should revoke refresh tokens and invalidate sessions server-side.
Location Support
Add approximate geo lookup from IP:
Possible providers:
Store:
Security Considerations
Need protection for:
Consider:
API Endpoints Needed
Acceptance Criteria
Production-grade device identification implemented
Multi-device session tracking works
Active sessions visible to users
Logout current device works
Logout all devices works
Location metadata stored
Refresh token revocation implemented
Security review completed
Notes
This should be designed similar to:
Google Account device sessions
GitHub active sessions
Discord session management