8 changed files with 107 additions and 4 deletions
--- a/bid_main/admin.py
+++ b/bid_main/admin.py
@ -9,6 +9,7 @@ from django.contrib.contenttypes.models import ContentType
 from django.urls import reverse_lazy
 from django.utils.html import format_html
 from django.utils.translation import gettext_lazy as _
+from qsessions.models import Session

 import bid_main.file_utils

@ -408,3 +409,7 @@ class AccessTokenAdmin(admin.ModelAdmin):
    list_filter = ("application", "scope")
    raw_id_fields = ("user", "source_refresh_token", "id_token")
    search_fields = ("scope",)
+
+
+# avoid exposing session_key values in admin
+admin.site.unregister(Session)
--- a/bid_main/sessions.py
+++ b/bid_main/sessions.py
@ -0,0 +1,5 @@
+import hashlib
+
+
+def get_hashed_key(session):
+    return hashlib.sha256(session.session_key.encode('utf-8')).hexdigest()
--- a/bid_main/templates/bid_main/active_sessions.html
+++ b/bid_main/templates/bid_main/active_sessions.html
@ -0,0 +1,48 @@
+{% extends 'layout.html' %}
+{% load humanize pipeline static %}
+{% block page_title %}
+Active Sessions
+{% endblock %}
+
+{% block body %}
+<div class="bid box">
+<h2>Active Sessions</h2>
+<table class="table w-100 mt-4">
+  <thead>
+  <tr>
+    <th>Created</th>
+    <th>Location</th>
+    <th>Device</th>
+    <th class="text-center"></th>
+  </tr>
+  </thead>
+  <tbody>
+  {% for session in sessions %}
+  <tr>
+    <td title="{{ session.created_at }}">{{ session.created_at|naturaltime }}</td>
+    <td>
+      {% if session.location %}
+      {{ session.location }}
+      {% else %}
+      Not detected
+      {% endif %}
+      ({{ session.ip }})
+    </td>
+    <td>{{ session.device }}</td>
+    <td class="text-center">
+      {% if session.is_current %}
+      Current Session
+      {% else %}
+      <form action="{% url 'bid_main:terminate_session' %}" method="post">
+        {% csrf_token %}
+        <input type="hidden" name="session_key_hashed" value="{{ session.session_key_hashed }}" />
+        <button type="submit" class="btn-danger">Terminate Session</button>
+      </form>
+      {% endif %}
+    </td>
+  </tr>
+  {% endfor %}
+  </tbody>
+</table>
+</div>
+{% endblock %}
--- a/bid_main/templates/bid_main/index.html
+++ b/bid_main/templates/bid_main/index.html
@ -135,6 +135,11 @@ Profile

 <div class="bid-roles container bid box mt-3">
  <h2>Account</h2>
+  <div class="btn-row-fluid mt-3">
+    <a class="btn" href="{% url 'bid_main:active_sessions' %}">
+      <span>Active Sessions</span>
+    </a>
+  </div>
  <div class="btn-row-fluid mt-3">
    <a class="btn" href="{% url 'bid_main:password_change' %}">
      <span>Change Password</span>
--- a/bid_main/urls.py
+++ b/bid_main/urls.py
@ -139,6 +139,12 @@ urlpatterns = [
        registration_email.ConfirmEmailPollView.as_view(),
        name="confirm-email-poll",
    ),
+    path('active-sessions/', normal_pages.ActiveSessionsView.as_view(), name='active_sessions'),
+    path(
+        'terminate-session/',
+        normal_pages.TerminateSessionView.as_view(),
+        name='terminate_session',
+    ),
 ]

 # Only enable this on a dev server:
--- a/bid_main/views/normal_pages.py
+++ b/bid_main/views/normal_pages.py
@ -14,8 +14,8 @@ from django.core.exceptions import ValidationError
 from django.utils.translation import gettext as _
 from django.db import transaction, IntegrityError
 from django.db.models import Count
-from django.http import HttpResponseRedirect
-from django.shortcuts import resolve_url, render
+from django.http import HttpResponseNotFound, HttpResponseRedirect
+from django.shortcuts import redirect, resolve_url, render
 from django.urls import reverse_lazy
 from django.utils import timezone
 from django.utils.decorators import method_decorator
@ -23,6 +23,7 @@ from django.views.decorators.cache import never_cache
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.debug import sensitive_post_parameters
 from django.views.generic import TemplateView, FormView
+from django.views.generic.base import View
 from django.views.generic.edit import UpdateView
 import loginas.utils
 import oauth2_provider.models as oauth2_models
@ -31,6 +32,7 @@ from .. import forms, email
 from . import mixins
 from bid_main.email import send_verify_address
 import bid_main.file_utils
+import bid_main.sessions

 User = get_user_model()
 log = logging.getLogger(__name__)
@ -429,3 +431,28 @@ class DeleteUserView(
        if not ok:
            log.error("Failed to send an email about deletion of account %s", user.pk)
        return render(self.request, "bid_main/delete_user/confirm.html", context=ctx)
+
+
+class ActiveSessionsView(LoginRequiredMixin, TemplateView):
+    template_name = "bid_main/active_sessions.html"
+
+    def get_context_data(self, **kwargs):
+        sessions = self.request.user.session_set.order_by('-created_at')
+        for session in sessions:
+            session.session_key_hashed = bid_main.sessions.get_hashed_key(session)
+            if session.session_key == self.request.session.session_key:
+                session.is_current = True
+        return {
+            **super().get_context_data(**kwargs),
+            'sessions': sessions,
+        }
+
+
+class TerminateSessionView(LoginRequiredMixin, View):
+    def post(self, request):
+        session_key_hashed = request.POST.get('session_key_hashed')
+        for session in self.request.user.session_set.all():
+            if session_key_hashed == bid_main.sessions.get_hashed_key(session):
+                session.delete()
+                return redirect('bid_main:active_sessions')
+        return HttpResponseNotFound("session not found")
--- a/blenderid/settings.py
+++ b/blenderid/settings.py
@ -43,16 +43,17 @@ INSTALLED_APPS = [
    "django.contrib.admindocs",
    "django.contrib.auth",
    "django.contrib.contenttypes",
-    "django.contrib.sessions",
    "django.contrib.messages",
    "django.contrib.staticfiles",
    "django.contrib.sites",
    "django.contrib.flatpages",
+    "django.contrib.humanize",
    "oauth2_provider",
    "pipeline",
    "sorl.thumbnail",
    "django_admin_select2",
    "loginas",
+    "qsessions",
    "bid_main",
    "bid_api",
    "bid_addon_support",
@ -61,7 +62,7 @@ INSTALLED_APPS = [

 MIDDLEWARE = [
    "django.middleware.security.SecurityMiddleware",
-    "django.contrib.sessions.middleware.SessionMiddleware",
+    "qsessions.middleware.SessionMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
@ -75,6 +76,10 @@ AUTHENTICATION_BACKENDS = [
    "django.contrib.auth.backends.ModelBackend",
 ]

+SESSION_ENGINE = "qsessions.backends.db"
+
+GEOIP_PATH = os.getenv('GEOIP_PATH')
+
 ROOT_URLCONF = "blenderid.urls"

 TEMPLATES = [
--- a/requirements.txt
+++ b/requirements.txt
@ -15,9 +15,11 @@ django-compat==1.0.15 ; python_version >= "3.8" and python_version < "4"
 django-loginas==0.3.11 ; python_version >= "3.8" and python_version < "4"
 django-oauth-toolkit @ git+https://projects.blender.org/Oleg-Komarov/django-oauth-toolkit.git@0b056a99ca943771615b859f48aaff0e12357f22 ; python_version >= "3.8" and python_version < "4"
 django-pipeline==3.1.0 ; python_version >= "3.8" and python_version < "4"
+django-qsessions==1.1.5
 django==4.2.13 ; python_version >= "3.8" and python_version < "4"
 django[bcrypt]==4.2.13 ; python_version >= "3.8" and python_version < "4"
 docutils==0.14 ; python_version >= "3.8" and python_version < "4"
+geoip2==4.8.0
 htmlmin==0.1.12 ; python_version >= "3.8" and python_version < "4"
 idna==2.8 ; python_version >= "3.8" and python_version < "4"
 importlib-metadata==3.6.0 ; python_version >= "3.8" and python_version < "4"