Skip to content

feat(core): tag isCurrent on account api sessions response#8729

Open
simeng-li wants to merge 1 commit intosimeng-log-13303-p11-plumb-sessionuid-through-koaoidcauth-into-ctxauthfrom
simeng-log-13304-p12-add-iscurrent-flag-dev-feature-gated-to-get-apimy
Open

feat(core): tag isCurrent on account api sessions response#8729
simeng-li wants to merge 1 commit intosimeng-log-13303-p11-plumb-sessionuid-through-koaoidcauth-into-ctxauthfrom
simeng-log-13304-p12-add-iscurrent-flag-dev-feature-gated-to-get-apimy

Conversation

@simeng-li
Copy link
Copy Markdown
Contributor

@simeng-li simeng-li commented Apr 28, 2026

Summary

Stacked on #8728 (P1.1). PR base is the P1.1 branch; rebase to master once that lands.

Behind EnvSet.values.isDevFeaturesEnabled, tag the entry in the GET /api/my-account/sessions response whose payload.uid matches the caller's ctx.auth.sessionUid (plumbed by #8728) with isCurrent: true. Other entries get isCurrent: false. The field is optional in userExtendedSessionGuard; when the flag is off the property is omitted entirely, so production responses stay byte-identical to today.

What changed

  • userExtendedSessionGuard (@logto/schemas) gains an optional isCurrent?: boolean.
  • findUserActiveSessionsWithExtensions accepts a new optional currentSessionUid?: string and stamps the flag only when EnvSet.values.isDevFeaturesEnabled.
  • The Account API handler (/api/my-account/sessions) passes ctx.auth.sessionUid to the library.
  • The admin-user listing route is unchanged — admins acting on another user have no "current session" concept, and the new parameter is optional.

Expected result

  • With dev features enabled (non-production): responses include isCurrent: true on the calling session, false on others.
  • In production (flag off): responses are byte-identical to today; the field is absent.

Reviewer notes

  • This is part of a 4-task plan tracked in LOG-13304. A separate cleanup PR will remove the dev-feature guard when the feature is ready to ship; user-facing API docs (P1.4) wait for that.
  • Original P1.3 (integration tests) was merged into this PR per request; integration tests now land alongside the backend change.
  • Closes LOG-13304. Refs GitHub #8681.

Testing

Unit tests, integration tests

Checklist

  • `.changeset`
  • unit tests
  • integration tests
  • necessary TSDoc comments

@github-actions github-actions Bot added feature Cool stuff size/m labels Apr 28, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 28, 2026
edited
Loading

COMPARE TO master

Total Size Diff 📈 +5.3 KB

Diff by File
Name Diff
packages/core/src/middleware/koa-auth/koa-oidc-auth.test.ts 📈 +638 Bytes
packages/core/src/middleware/koa-auth/koa-oidc-auth.ts 📈 +30 Bytes
packages/core/src/middleware/koa-auth/types.ts 📈 +206 Bytes
packages/core/src/routes/account/sessions.ts 📈 +275 Bytes
packages/integration-tests/src/api/my-account.ts 📈 +14 Bytes
packages/integration-tests/src/helpers/session.ts 📈 +13 Bytes
packages/integration-tests/src/tests/api/account/session.test.ts 📈 +3.19 KB
packages/schemas/src/types/user-sessions.ts 📈 +988 Bytes

@simeng-li simeng-li requested review from a team April 28, 2026 03:25
@simeng-li simeng-li force-pushed the simeng-log-13304-p12-add-iscurrent-flag-dev-feature-gated-to-get-apimy branch from aa91368 to afb3420 Compare April 28, 2026 03:28
@github-actions github-actions Bot added size/m and removed size/m labels Apr 28, 2026
wangsijie
wangsijie reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@wangsijie wangsijie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 PR Review

This PR adds an isCurrent marker to account-session listings behind the dev-features flag and covers the account API path with targeted tests.

  • 🔒 Security: clean
  • 🏗️ Architecture: 0 high, 2 medium
  • 👨‍💻 Engineering: clean

Verdict: ⚠️ Needs attention

Comment thread packages/schemas/src/types/user-sessions.ts Outdated
Comment thread packages/core/src/libraries/session/index.ts Outdated
@simeng-li simeng-li force-pushed the simeng-log-13304-p12-add-iscurrent-flag-dev-feature-gated-to-get-apimy branch from afb3420 to 6db8b94 Compare April 28, 2026 05:49
@github-actions github-actions Bot added size/m and removed size/m labels Apr 28, 2026
@simeng-li simeng-li requested review from a team, charIeszhao and darcyYe and removed request for a team April 28, 2026 05:55
@simeng-li simeng-li force-pushed the simeng-log-13304-p12-add-iscurrent-flag-dev-feature-gated-to-get-apimy branch from 6db8b94 to 84c88ef Compare April 28, 2026 05:57
@simeng-li simeng-li requested a review from xiaoyijun as a code owner April 28, 2026 05:57
@simeng-li simeng-li force-pushed the simeng-log-13303-p11-plumb-sessionuid-through-koaoidcauth-into-ctxauth branch from 8306cbf to 10f30ed Compare April 28, 2026 05:57
@github-actions github-actions Bot added size/m and removed size/m labels Apr 28, 2026
@simeng-li simeng-li mentioned this pull request Apr 28, 2026
Open
4 tasks
wangsijie
wangsijie reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@wangsijie wangsijie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 PR Review

Adds an account-API-only isCurrent flag for session listings behind the dev-features guard, with tests covering the flagged session-selection behavior.

  • 🔒 Security: clean
  • 🏗️ Architecture: clean
  • 👨‍💻 Engineering: 0 high, 1 medium

Verdict: ⚠️ Needs attention

Comment thread packages/core/src/routes/account/sessions.ts
@simeng-li
feat(core): tag isCurrent on account api sessions response
18d4d34 
Behind `EnvSet.values.isDevFeaturesEnabled`, tag the entry in the
GET /api/my-account/sessions response whose `payload.uid` matches
the caller's `ctx.auth.sessionUid` with `isCurrent: true`. Other
entries get `isCurrent: false`. The flag is omitted entirely when
dev features are off, so production responses stay byte-identical
to today.

`isCurrent` is account-API-specific. To keep that scoping in the
type contract, the schema introduces a separate
`accountUserExtendedSessionGuard` (extends `userExtendedSessionGuard`)
plus `getAccountUserSessionsResponseGuard`. The shared
`userExtendedSessionGuard` and the admin-user routes that depend on
it are unchanged. The session library is also unchanged — the
`isCurrent` mapping lives entirely in the Account API route handler
where the dev-feature gate and the per-route response shape belong.

Tests:

- Integration tests in `tests/api/account/session.test.ts` cover the
  caller-session-tagged case for single sign-in, multi-session, and
  revoke-then-list. Wrapped with `devFeatureTest.it` so they only run
  when `DEV_FEATURES_ENABLED=true`.

A separate cleanup PR will remove the dev-feature guard once the
feature ships to production. Public docs (P1.4) wait for that.

Refs LOG-13304
@simeng-li simeng-li force-pushed the simeng-log-13303-p11-plumb-sessionuid-through-koaoidcauth-into-ctxauth branch from 10f30ed to 52f33ba Compare April 29, 2026 07:52
@simeng-li simeng-li force-pushed the simeng-log-13304-p12-add-iscurrent-flag-dev-feature-gated-to-get-apimy branch from 84c88ef to 18d4d34 Compare April 29, 2026 07:53
@github-actions github-actions Bot added size/m and removed size/m labels Apr 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wangsijie wangsijie wangsijie left review comments

@gao-sun gao-sun Awaiting requested review from gao-sun gao-sun is a code owner

@darcyYe darcyYe Awaiting requested review from darcyYe

@charIeszhao charIeszhao Awaiting requested review from charIeszhao charIeszhao was automatically assigned from logto-io/mandatory-reviewers

@xiaoyijun xiaoyijun Awaiting requested review from xiaoyijun

Assignees

@simeng-li simeng-li

Labels

feature Cool stuff size/m

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@simeng-li @wangsijie