SessionAdminService
Component Detail
Description
Backend service that exposes admin-scoped endpoints for listing and revoking authenticated sessions. Delegates token invalidation to the Authentication Module's admin revocation API and emits a structured audit event to the Audit Log for every revocation action. Enforces organization-level scoping so administrators can only act on sessions belonging to their own organization.
session-admin-service
Sources & reasoning
Line 208 lists admin-initiated session revocation as an explicit core capability of the Authentication Module. Line 276 describes the session lifecycle - sessions end cleanly when the refresh chain is broken - which requires an admin surface to trigger that break on demand. Admin-security is always-on for the Admin Web Portal MVP, confirming this feature ships at launch.
-
docs/source/likeperson.md · line 208Session revocation (sign-out, forced expiry, admin-initiated)
-
docs/source/likeperson.md · line 276sessions survive silently across token expiry and end cleanly when the refresh chain is broken
Responsibilities
- Query the authentication store for all active sessions scoped to the requesting admin's organization
- Call the Authentication Module's admin-initiated revocation API for single-session and bulk-user revocation
- Write a revocation audit event (actor, target session/user, timestamp, IP) to the Audit Log on every successful revocation
- Validate that the requesting administrator has the required org-admin permission before any operation
- Return structured session DTOs including device type, login time, last activity, and IP address
Interfaces
listOrgSessions(orgId, adminId): Promise<SessionDto[]>
revokeSession(sessionId, adminId): Promise<AuditRef>
revokeAllUserSessions(userId, adminId): Promise<AuditRef[]>
Related Data Entities (4)
Data entities managed by this component