feat: label session actuelle + fix bouton révoquer

- GetSessions: retourne is_current=true pour la session correspondant au cookie courant - GetSessions: select token_hash pour la comparaison (non exposé dans le JSON) - profile.html: badge "Session actuelle" + désactive révoquer pour la session courante (utiliser le bouton Déconnexion à la place) - app.js: revokeSession utilise finally pour reset + isRevoking() helper - pages.css: styles .badge-current + .session-current Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 01:45:09 +01:00 · 2026-03-22 01:45:09 +01:00 · 98cdabf3e1
commit 98cdabf3e1
parent 1cbd7e9d17
4 changed files with 40 additions and 14 deletions
--- a/backend/internal/api/auth.go
+++ b/backend/internal/api/auth.go
@ -347,7 +347,7 @@ func (h *AuthHandler) GetSessions(w http.ResponseWriter, r *http.Request) {
 	}

 	rows, err := h.db.Query(`
-		SELECT id, user_agent, ip, created_at, last_used_at, expires_at
+		SELECT id, user_agent, ip, created_at, last_used_at, expires_at, token_hash
 		FROM refresh_tokens
 		WHERE user_id = ? AND expires_at > CURRENT_TIMESTAMP
 		ORDER BY COALESCE(last_used_at, created_at) DESC
@ -358,21 +358,29 @@ func (h *AuthHandler) GetSessions(w http.ResponseWriter, r *http.Request) {
 	}
 	defer rows.Close()

+	// Hash du cookie courant pour marquer "session actuelle"
+	currentHash := ""
+	if cookie, err := r.Cookie("pxp_refresh"); err == nil {
+		currentHash = hashToken(cookie.Value)
+	}
+
 	type Session struct {
-		ID         int64   `json:"id"`
-		UserAgent  string  `json:"user_agent"`
-		IP         string  `json:"ip"`
-		CreatedAt  string  `json:"created_at"`
+		ID        int64   `json:"id"`
+		UserAgent string  `json:"user_agent"`
+		IP        string  `json:"ip"`
+		CreatedAt string  `json:"created_at"`
 		LastUsedAt *string `json:"last_used_at"`
-		ExpiresAt  string  `json:"expires_at"`
+		ExpiresAt string  `json:"expires_at"`
+		IsCurrent bool    `json:"is_current"`
 	}

 	sessions := []Session{}
 	for rows.Next() {
 		var s Session
+		var tokenHash string
 		var createdAt, expiresAt sql.NullString
 		var lastUsedAt sql.NullString
-		if err := rows.Scan(&s.ID, &s.UserAgent, &s.IP, &createdAt, &lastUsedAt, &expiresAt); err != nil {
+		if err := rows.Scan(&s.ID, &s.UserAgent, &s.IP, &createdAt, &lastUsedAt, &expiresAt, &tokenHash); err != nil {
 			log.Printf("[GetSessions] scan error userID=%d: %v", claims.UserID, err)
 			continue
 		}
@ -381,6 +389,7 @@ func (h *AuthHandler) GetSessions(w http.ResponseWriter, r *http.Request) {
 		if lastUsedAt.Valid && lastUsedAt.String != "" {
 			s.LastUsedAt = &lastUsedAt.String
 		}
+		s.IsCurrent = currentHash != "" && tokenHash == currentHash
 		sessions = append(sessions, s)
 	}