fix(auth): revoke web sessions on logout

[jeanduplessis]

Summary

Code-related pentest M2 session-handling findings are addressed with scoped web-session revocation and route-level admin authorization checks.

M2: Web session revocation after logout

• Added kilocode_users.web_session_version, stores that version in the NextAuth JWT/session at sign-in, and rejects requests in getUserFromAuth when the session version no longer matches the database row.
• Added POST /api/auth/revoke-web-session and call it from normal sign-out, auto sign-out, and dev account nuke flows before client-side sign-out.
• Preserves concurrent browser logins until a revocation event. Logging out from any browser increments the version and invalidates all existing web sessions for that user.
• Legacy NextAuth JWTs minted before deploy are treated as version 0 while the database row is still 0, avoiding a blanket logout on rollout.
• Mitigated incident-response risk by rotating web_session_version in user/admin API-token reset flows along with api_token_pepper, so “reset token and sign out everywhere” semantics remain true for web sessions.
• Kept logout scoped to browser sessions; CLI/device/API tokens are not revoked by normal logout.

M2: Route-level admin API authorization

• Added route-level getUserFromAuth({ adminOnly: true }) checks to credit category admin API endpoints that previously relied on middleware as the effective auth boundary.

Verification

• pnpm test -- apps/web/src/lib/web-session-revocation.test.ts
• pnpm format

Visual Changes

N/A

Reviewer Notes

• Deploy ordering matters: apply/verify migration 0104_thin_hedge_knight.sql before routing traffic to this web build.
• Migration is additive: kilocode_users.web_session_version integer DEFAULT 0 NOT NULL.
• getUserFromAuth rejects stale web sessions when the session version no longer matches the database row.
• Logout entry points call POST /api/auth/revoke-web-session; endpoint is intentionally idempotent and only increments web session state.
• API-token reset now increments web_session_version in the same transaction as api_token_pepper rotation.
• Rollback plan: roll back web code first; additive column can remain.
• Rollout watchpoints: DB errors mentioning web_session_version, 5xx on /api/auth/revoke-web-session, Reauthentication required 401 spikes, login/signout conversion.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (17 files)

• apps/web/src/app/(app)/components/SidebarUserFooter.tsx
• apps/web/src/app/admin/api/credit-categories/[key]/route.ts
• apps/web/src/app/admin/api/credit-categories/route.ts
• apps/web/src/app/api/auth/revoke-web-session/route.ts
• apps/web/src/app/api/cloud-agent/sessions/prepare/route.test.ts
• apps/web/src/app/auto-signout/page.tsx
• apps/web/src/components/dev/actions.ts
• apps/web/src/lib/token.test.ts
• apps/web/src/lib/user.server.ts
• apps/web/src/lib/web-session-revocation.test.ts
• apps/web/src/lib/web-session-revocation.ts
• apps/web/src/routers/admin-router.ts
• apps/web/src/routers/user-router.ts
• apps/web/src/tests/helpers/user.helper.ts
• apps/web/src/types/next-auth.d.ts
• packages/db/src/migrations/0104_thin_hedge_knight.sql
• packages/db/src/schema.ts

---

_{Reviewed by gpt-5.4-20260305 · 1,374,800 tokens}