🏠 Overview 🧩 Components 🧩 SessionManagementService

SessionManagementService

Component Detail

Service Layer medium complexity backend
0
Dependencies
0
Dependents
6
Entities
0
Integrations

Description

Backend service that exposes administrative operations over the session lifecycle without owning the authentication internals. It coordinates with the Authentication Module to invalidate refresh token chains when sessions are forcibly terminated. Handles scoped access rules ensuring org admins can only act within their organization.

Feature: Session Management

session-management-service

Sources & reasoning

Line 207 explicitly names admin-initiated session revocation as an auth module capability, and line 259 requires organizations to be able to revoke Global Admin support access immediately on demand. admin-security is always-on (line 241), fixing target release at MVP. Session Management is the admin surface that exposes the auth module's revocation capability; without it, the revocation requirement from line 259 cannot be fulfilled.

  • docs/source/likeperson.md · line 207
    Session revocation (sign-out, forced expiry, admin-initiated)
  • docs/source/likeperson.md · line 259
    Orgs can grant a Global Admin *time-bounded* support access via a flag in Organization Settings (e.g. "Allow Norse support access until {date}"); revoking the flag or hitting the expiry immediately removes access.

Responsibilities

  • List all active sessions for a given user, scoped to the requesting admin's organization
  • Terminate a single session and invalidate its associated refresh token chain
  • Terminate all sessions for a user and invalidate all associated refresh token chains
  • Manage Global Admin support access grants including creation, time-bounding, and immediate revocation
  • Enforce authorization rules so org admins cannot act outside their organization boundary

Interfaces

getActiveSessions(userId: string, adminContext: AdminContext): Promise<Session[]>
terminateSession(sessionId: string, adminContext: AdminContext): Promise<void>
terminateAllSessions(userId: string, adminContext: AdminContext): Promise<void>
createSupportAccessGrant(userId: string, expiresAt: Date): Promise<SupportAccessGrant>
revokeSupportAccessGrant(grantId: string, adminContext: AdminContext): Promise<void>

Related Data Entities (6)

Data entities managed by this component

Organization 21 fields core Refresh Token 13 fields core Support Access Grant 15 fields audit User 24 fields core User Organization Membership 16 fields core User Role 12 fields core