feat(auth): add device session tracking with configurable limits

Track authenticated sessions per device (parsing user-agent for desktop
vs mobile via mileusna/useragent), enforce configurable concurrent device
limits (Auth.DeviceLimits), and surface device status and "remove other
devices" management in the account dialog. Adds device/session context to
the auth module stores and exposes limits through the API.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-07-11 01:01:54 +08:00
parent 875fff825c
commit 58f11302fe
32 changed files with 1783 additions and 253 deletions
@@ -15,6 +15,10 @@ type bearerAuthenticator interface {
UserIDFromBearer(ctx context.Context, authorization string) (string, bool)
}
type bearerIdentityAuthenticator interface {
IdentityFromBearer(ctx context.Context, authorization string) (authmodule.Identity, bool)
}
type profileAuthenticator interface {
GetProfile(ctx context.Context, userID string) (authmodule.User, error)
}
@@ -30,10 +34,22 @@ func UserContextMiddleware(authenticator bearerAuthenticator, shareAuthorizers .
}
return func(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
ctx := authmodule.ContextWithRequestMetadata(r.Context(), authmodule.RequestMetadata{
UserAgent: r.Header.Get("User-Agent"),
Platform: r.Header.Get("Sec-CH-UA-Platform"),
Mobile: r.Header.Get("Sec-CH-UA-Mobile"),
})
userID := ""
sessionID := ""
authenticated := false
if authenticator != nil {
if tokenUserID, ok := userIDFromRequestAuth(r.Context(), r, authenticator); ok {
if identityAuthenticator, ok := authenticator.(bearerIdentityAuthenticator); ok {
if identity, valid := identityAuthenticator.IdentityFromBearer(ctx, r.Header.Get("Authorization")); valid {
userID = identity.UserID
sessionID = identity.SessionID
authenticated = true
}
} else if tokenUserID, ok := userIDFromRequestAuth(ctx, r, authenticator); ok {
userID = tokenUserID
authenticated = true
}
@@ -41,7 +57,7 @@ func UserContextMiddleware(authenticator bearerAuthenticator, shareAuthorizers .
actor := sharingmodule.Actor{Authenticated: authenticated, UserID: userID}
if authenticated && requestUsesShareAccess(r) {
if profiles, ok := authenticator.(profileAuthenticator); ok {
profile, err := profiles.GetProfile(r.Context(), userID)
profile, err := profiles.GetProfile(ctx, userID)
if err != nil {
writeAuthRequired(w)
return
@@ -54,7 +70,8 @@ func UserContextMiddleware(authenticator bearerAuthenticator, shareAuthorizers .
}
}
ctx := sharingmodule.ContextWithActor(r.Context(), actor)
ctx = sharingmodule.ContextWithActor(ctx, actor)
ctx = authmodule.ContextWithSessionID(ctx, sessionID)
ctx = design.ContextWithUserID(ctx, userID)
shareAuthorized := false
shareID := strings.TrimSpace(r.Header.Get("X-Share-Id"))