Refactor sessions route: remove excess logging and extract helpers for clarity and maintainability.

brandonkachen · codebuff-team · brandonkachen · commit e56acf0f2484 · 2025-08-25T15:50:38.000-07:00
🤖 Generated with Codebuff
Co-Authored-By: Codebuff &lt;noreply@codebuff.com&gt;
diff --git a/web/src/app/api/sessions/route.ts b/web/src/app/api/sessions/route.ts
@@ -1,10 +1,104 @@
-import { NextResponse, NextRequest } from 'next/server'
-import { getServerSession } from 'next-auth'
 import db from '@codebuff/common/db'
 import * as schema from '@codebuff/common/db/schema'
 import { and, eq, inArray } from 'drizzle-orm'
-import { sha256 } from '@/lib/crypto'
+import { NextResponse } from 'next/server'
+import { getServerSession } from 'next-auth'
+
 import { authOptions } from '@/app/api/auth/[...nextauth]/auth-options'
+import { sha256 } from '@/lib/crypto'
+import { logger } from '@/util/logger'
+
+import type { NextRequest } from 'next/server'
+
+// Helper: revoke web/cli sessions for a user
+async function revokeStandardSessions(
+  userId: string,
+  providedSessionIds: string[]
+) {
+  // Load user sessions (token, type, fingerprint)
+  const userSessions = await db
+    .select({
+      sessionToken: schema.session.sessionToken,
+      type: schema.session.type,
+      fingerprintId: schema.session.fingerprint_id,
+    })
+    .from(schema.session)
+    .where(eq(schema.session.userId, userId))
+
+  // Map provided ids which may be raw tokens or sha256(token)
+  const tokenSet = new Set(userSessions.map((s) => s.sessionToken))
+  const hashToToken = new Map(
+    userSessions.map((s) => [sha256(s.sessionToken), s.sessionToken] as const)
+  )
+
+  const tokensToDelete: string[] = []
+  for (const provided of providedSessionIds) {
+    if (tokenSet.has(provided)) tokensToDelete.push(provided)
+    else {
+      const mapped = hashToToken.get(provided)
+      if (mapped) tokensToDelete.push(mapped)
+    }
+  }
+
+  if (tokensToDelete.length === 0) return 0
+
+  // Restrict to web/cli sessions only
+  const sessionsToDelete = userSessions.filter(
+    (s) =>
+      tokensToDelete.includes(s.sessionToken) &&
+      (s.type === 'web' || s.type === 'cli')
+  )
+
+  const cliFingerprintIds = Array.from(
+    new Set(
+      sessionsToDelete
+        .filter((s) => s.type === 'cli' && s.fingerprintId)
+        .map((s) => s.fingerprintId!)
+    )
+  )
+
+  // Unclaim CLI fingerprints and delete sessions in a single transaction
+  const deleted = await db.transaction(async (tx) => {
+    if (cliFingerprintIds.length > 0) {
+      await tx
+        .update(schema.fingerprint)
+        .set({ sig_hash: null })
+        .where(inArray(schema.fingerprint.id, cliFingerprintIds))
+    }
+
+    const del = await tx
+      .delete(schema.session)
+      .where(
+        and(
+          eq(schema.session.userId, userId),
+          inArray(schema.session.sessionToken, tokensToDelete),
+          // Explicitly restrict to web/cli to avoid PATs here
+          inArray(schema.session.type, ['web', 'cli'] as any)
+        )
+      )
+      .returning({ sessionToken: schema.session.sessionToken })
+
+    return del.length
+  })
+
+  return deleted
+}
+
+// Helper: revoke PAT tokens for a user
+async function revokeApiTokens(userId: string, tokenIds: string[]) {
+  if (!tokenIds || tokenIds.length === 0) return 0
+  const result = await db
+    .delete(schema.session)
+    .where(
+      and(
+        eq(schema.session.userId, userId),
+        eq(schema.session.type, 'pat'),
+        inArray(schema.session.sessionToken, tokenIds)
+      )
+    )
+    .returning({ sessionToken: schema.session.sessionToken })
+  return result.length
+}
 
 // DELETE /api/sessions
 // Body: { sessionIds?: string[]; tokenIds?: string[] }
@@ -22,76 +116,32 @@ export async function DELETE(req: NextRequest) {
       .json()
       .catch(() => ({}) as any)
 
+    const userId = session.user.id
+
     if (
       (!sessionIds || sessionIds.length === 0) &&
       (!tokenIds || tokenIds.length === 0)
     ) {
       return NextResponse.json({ revokedSessions: 0, revokedTokens: 0 })
     }
 
-    const userId = session.user.id
     let revokedSessions = 0
     let revokedTokens = 0
 
-    // 1) Map provided sessionIds (raw token or sha256(token)) to actual session tokens
     if (sessionIds && sessionIds.length > 0) {
-      const userSessions = await db
-        .select({
-          sessionToken: schema.session.sessionToken,
-          type: schema.session.type,
-        })
-        .from(schema.session)
-        .where(eq(schema.session.userId, userId))
-
-      const tokenSet = new Set(userSessions.map((s) => s.sessionToken))
-      const hashToToken = new Map(
-        userSessions.map(
-          (s) => [sha256(s.sessionToken), s.sessionToken] as const
-        )
-      )
-
-      const tokensToDelete: string[] = []
-      for (const provided of sessionIds) {
-        if (tokenSet.has(provided)) {
-          tokensToDelete.push(provided)
-        } else {
-          const mapped = hashToToken.get(provided)
-          if (mapped) tokensToDelete.push(mapped)
-        }
-      }
-
-      if (tokensToDelete.length > 0) {
-        const result = await db
-          .delete(schema.session)
-          .where(
-            and(
-              eq(schema.session.userId, userId),
-              eq(schema.session.type, 'web'), // do not delete PATs here
-              inArray(schema.session.sessionToken, tokensToDelete)
-            )
-          )
-          .returning({ sessionToken: schema.session.sessionToken })
-        revokedSessions = result.length
-      }
+      revokedSessions = await revokeStandardSessions(userId, sessionIds)
     }
 
-    // 2) Revoke API key tokens (PATs) by id (full token string)
     if (tokenIds && tokenIds.length > 0) {
-      const result = await db
-        .delete(schema.session)
-        .where(
-          and(
-            eq(schema.session.userId, userId),
-            eq(schema.session.type, 'pat'),
-            inArray(schema.session.sessionToken, tokenIds)
-          )
-        )
-        .returning({ sessionToken: schema.session.sessionToken })
-      revokedTokens = result.length
+      revokedTokens = await revokeApiTokens(userId, tokenIds)
     }
 
     return NextResponse.json({ revokedSessions, revokedTokens })
   } catch (e: any) {
+    logger.error(
+      { error: e?.message ?? String(e), stack: e?.stack },
+      'Error in DELETE /api/sessions'
+    )
     return new NextResponse(e?.message ?? 'Internal error', { status: 500 })
   }
 }
