bid_main/templates/bid_main/active_sessions.html

@@ -0,0 +1,44 @@
+{% extends 'layout.html' %}
+{% load humanize pipeline static %}
+{% block page_title %}
+Active Sessions
+{% endblock %}
+
+{% block body %}
+<div class="bid box">
+<h2>Active Sessions</h2>
+<table class="table w-100 mt-4">
+  <thead>
+  <tr>
+    <th>Created</th>
+    <th>Last Active</th>
+    <th>IP</th>
+    <th>Device</th>
+    <th class="text-center"></th>
+  </tr>
+  </thead>
+  <tbody>
+  {% for session in sessions %}
+  <tr>
+    <td title="{{ session.created_at }}">{{ session.created_at|naturaltime }}</td>
+    <td title="{{ session.last_active_at }}">
+      {% if session.is_current %}
+      Current Session
+      {% else %}
+      {{ session.last_active_at|naturaltime }}
+      {% endif %}
+    </td>
+    <td>{{ session.ip }}</td>
+    <td>{{ session.device }}</td>
+    <td class="text-center">
+      <form action="{% url 'bid_main:terminate_session' session.pk %}" method="post">
+        {% csrf_token %}
+        <button type="submit" class="btn-danger" title="Terminate Session"><i class="i-trash"></i></button>
+      </form>
+    </td>
+  </tr>
+  {% endfor %}
+  </tbody>
+</table>
+</div>
+{% endblock %}

bid_main/templates/bid_main/index.html

@@ -135,6 +135,11 @@ Profile
 
 <div class="bid-roles container bid box mt-3">
   <h2>Account</h2>
+  <div class="btn-row-fluid mt-3">
+    <a class="btn" href="{% url 'bid_main:active_sessions' %}">
+      <span>Active Sessions</span>
+    </a>
+  </div>
   <div class="btn-row-fluid mt-3">
     <a class="btn" href="{% url 'bid_main:password_change' %}">
       <span>Change Password</span>

bid_main/tests/test_user_sessions.py

@@ -1,5 +1,6 @@
-from django.test import TestCase
 from django.test.client import Client
+from django.test import TestCase
+from django.urls import reverse
 
 from bid_main.tests.factories import UserFactory
 
@@ -14,3 +15,29 @@ class TestUserSessions(TestCase):
         self.assertEqual(user.sessions.count(), 2)
         client2.logout()
         self.assertEqual(user.sessions.count(), 1)
+
+
+class TestActiveSessions(TestCase):
+    def test_active_sessions(self):
+        user = UserFactory()
+        client1 = Client()
+        client2 = Client()
+        client1.force_login(user)
+        first_session_pk = user.sessions.first().pk
+        client2.force_login(user)
+        response = client1.get(reverse('bid_main:active_sessions'))
+        self.assertContains(response, 'Current Session')
+        self.assertContains(response, 'Terminate Session')
+
+        response = client2.post(
+            reverse('bid_main:terminate_session', kwargs={'pk': first_session_pk})
+        )
+        self.assertEqual(response.status_code, 302)
+
+        response = client2.get(reverse('bid_main:active_sessions'))
+        self.assertEqual(response.status_code, 200)
+
+        # got logged out, redirect to login
+        response = client1.get(reverse('bid_main:active_sessions'))
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response['Location'], '/login?next=/active-sessions/')

bid_main/urls.py

@@ -139,6 +139,12 @@ urlpatterns = [
         registration_email.ConfirmEmailPollView.as_view(),
         name="confirm-email-poll",
     ),
+    path('active-sessions/', normal_pages.ActiveSessionsView.as_view(), name='active_sessions'),
+    path(
+        'terminate-session/<int:pk>/',
+        normal_pages.TerminateSessionView.as_view(),
+        name='terminate_session',
+    ),
 ]
 
 # Only enable this on a dev server:

bid_main/views/normal_pages.py

@@ -14,8 +14,8 @@ from django.core.exceptions import ValidationError
 from django.utils.translation import gettext as _
 from django.db import transaction, IntegrityError
 from django.db.models import Count
-from django.http import HttpResponseRedirect
-from django.shortcuts import resolve_url, render
+from django.http import HttpResponseNotFound, HttpResponseRedirect
+from django.shortcuts import redirect, resolve_url, render
 from django.urls import reverse_lazy
 from django.utils import timezone
 from django.utils.decorators import method_decorator
@@ -23,6 +23,7 @@ from django.views.decorators.cache import never_cache
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.debug import sensitive_post_parameters
 from django.views.generic import TemplateView, FormView
+from django.views.generic.base import View
 from django.views.generic.edit import UpdateView
 import loginas.utils
 import oauth2_provider.models as oauth2_models
@@ -429,3 +430,26 @@ class DeleteUserView(
         if not ok:
             log.error("Failed to send an email about deletion of account %s", user.pk)
         return render(self.request, "bid_main/delete_user/confirm.html", context=ctx)
+
+
+class ActiveSessionsView(LoginRequiredMixin, TemplateView):
+    template_name = "bid_main/active_sessions.html"
+
+    def get_context_data(self, **kwargs):
+        user_sessions = self.request.user.sessions.order_by('-last_active_at')
+        for session in user_sessions:
+            if session.session.session_key == self.request.session.session_key:
+                session.is_current = True
+        return {
+            **super().get_context_data(**kwargs),
+            'sessions': user_sessions,
+        }
+
+
+class TerminateSessionView(LoginRequiredMixin, View):
+    def post(self, request, *args, **kwargs):
+        if user_session := self.request.user.sessions.filter(pk=kwargs.get('pk', 0)).first():
+            user_session.session.delete()
+            user_session.delete()
+            return redirect('bid_main:active_sessions')
+        return HttpResponseNotFound("session not found")

blenderid/settings.py

@@ -50,6 +50,7 @@ INSTALLED_APPS = [
     "django.contrib.admindocs",
     "django.contrib.auth",
     "django.contrib.contenttypes",
+    "django.contrib.humanize",
     "django.contrib.sessions",
     "django.contrib.messages",
     "django.contrib.staticfiles",