refactor(sessions): drop custom CSRF checks; migrate to NextAuth server session for authentication to align with API keys route and reduce surface area.

🤖 Generated with Codebuff
Co-Authored-By: Codebuff <noreply@codebuff.com>

Author: brandonkachen

web/src/app/api/sessions/route.ts

@@ -5,37 +5,27 @@ import * as schema from '@codebuff/common/db/schema'
 import { and, eq, inArray } from 'drizzle-orm'
 import { sha256 } from '@/lib/crypto'
 import { authOptions } from '@/app/api/auth/[...nextauth]/auth-options'
-import { siteConfig } from '@/lib/constant'
-
-function isSameOrigin(request: NextRequest) {
-  try {
-    const base = new URL(siteConfig.url()).origin
-    const origin = request.headers.get('origin')
-    const referer = request.headers.get('referer')
-    if (origin && new URL(origin).origin === base) return true
-    if (referer && new URL(referer).origin === base) return true
-  } catch {}
-  return false
-}
 
 // DELETE /api/sessions
 // Body: { sessionIds?: string[]; tokenIds?: string[] }
 export async function DELETE(req: NextRequest) {
   try {
-    if (!isSameOrigin(req)) {
-      return new NextResponse('Forbidden', { status: 403 })
-    }
-
     const session = await getServerSession(authOptions)
     if (!session?.user?.id) {
       return new NextResponse('Unauthorized', { status: 401 })
     }
 
-    const { sessionIds, tokenIds }: { sessionIds?: string[]; tokenIds?: string[] } = await req
+    const {
+      sessionIds,
+      tokenIds,
+    }: { sessionIds?: string[]; tokenIds?: string[] } = await req
       .json()
-      .catch(() => ({} as any))
+      .catch(() => ({}) as any)
 
-    if ((!sessionIds || sessionIds.length === 0) && (!tokenIds || tokenIds.length === 0)) {
+    if (
+      (!sessionIds || sessionIds.length === 0) &&
+      (!tokenIds || tokenIds.length === 0)
+    ) {
       return NextResponse.json({ revokedSessions: 0, revokedTokens: 0 })
     }
 
@@ -46,13 +36,18 @@ export async function DELETE(req: NextRequest) {
     // 1) Map provided sessionIds (raw token or sha256(token)) to actual session tokens
     if (sessionIds && sessionIds.length > 0) {
       const userSessions = await db
-        .select({ sessionToken: schema.session.sessionToken, type: schema.session.type })
+        .select({
+          sessionToken: schema.session.sessionToken,
+          type: schema.session.type,
+        })
         .from(schema.session)
         .where(eq(schema.session.userId, userId))
 
       const tokenSet = new Set(userSessions.map((s) => s.sessionToken))
       const hashToToken = new Map(
-        userSessions.map((s) => [sha256(s.sessionToken), s.sessionToken] as const),
+        userSessions.map(
+          (s) => [sha256(s.sessionToken), s.sessionToken] as const
+        )
       )
 
       const tokensToDelete: string[] = []
@@ -72,8 +67,8 @@ export async function DELETE(req: NextRequest) {
             and(
               eq(schema.session.userId, userId),
               eq(schema.session.type, 'web'), // do not delete PATs here
-              inArray(schema.session.sessionToken, tokensToDelete),
-            ),
+              inArray(schema.session.sessionToken, tokensToDelete)
+            )
           )
           .returning({ sessionToken: schema.session.sessionToken })
         revokedSessions = result.length
@@ -88,8 +83,8 @@ export async function DELETE(req: NextRequest) {
           and(
             eq(schema.session.userId, userId),
             eq(schema.session.type, 'pat'),
-            inArray(schema.session.sessionToken, tokenIds),
-          ),
+            inArray(schema.session.sessionToken, tokenIds)
+          )
         )
         .returning({ sessionToken: schema.session.sessionToken })
       revokedTokens = result.length