V3

app/assets/stylesheets/active_sessions.scss

@@ -0,0 +1,3 @@
+// Place all the styles related to the active_sessions controller here.
+// They will automatically be included in application.css.
+// You can use Sass (SCSS) here: https://sass-lang.com/

app/controllers/active_sessions_controller.rb

@@ -0,0 +1,25 @@
+class ActiveSessionsController < ApplicationController
+  before_action :authenticate_user!
+
+  def destroy
+    @active_session = current_user.active_sessions.find(params[:id])
+
+    @active_session.destroy
+
+    if current_user
+      redirect_to account_path, notice: "Session deleted."
+    else
+      forget_active_session
+      reset_session
+      redirect_to root_path, notice: "Signed out."
+    end
+  end
+
+  def destroy_all
+    forget_active_session
+    current_user.active_sessions.destroy_all
+    reset_session
+
+    redirect_to root_path, notice: "Signed out."
+  end
+end

app/controllers/concerns/authentication.rb

@@ -14,45 +14,45 @@ def authenticate_user!
 
   def login(user)
     reset_session
-    user.regenerate_session_token
-    session[:current_user_session_token] = user.reload.session_token
+    active_session = user.active_sessions.create!(user_agent: request.user_agent, ip_address: request.ip)
+    session[:current_active_session_id] = active_session.id
+
+    active_session
   end
 
-  def forget(user)
+  def forget_active_session
     cookies.delete :remember_token
-    user.regenerate_remember_token
   end
 
   def logout
-    user = current_user
+    active_session = ActiveSession.find_by(id: session[:current_active_session_id])
     reset_session
-    user.regenerate_session_token
+    active_session.destroy! if active_session.present?
   end
 
   def redirect_if_authenticated
     redirect_to root_path, alert: "You are already logged in." if user_signed_in?
   end
 
-  def remember(user)
-    user.regenerate_remember_token
-    cookies.permanent.encrypted[:remember_token] = user.remember_token
-  end
-
-  def store_location
-    session[:user_return_to] = request.original_url if request.get? && request.local?
+  def remember(active_session)
+    cookies.permanent.encrypted[:remember_token] = active_session.remember_token
   end
 
   private
 
   def current_user
-    Current.user ||= if session[:current_user_session_token].present?
-      User.find_by(session_token: session[:current_user_session_token])
+    Current.user = if session[:current_active_session_id].present?
+      ActiveSession.find_by(id: session[:current_active_session_id])&.user
     elsif cookies.permanent.encrypted[:remember_token].present?
-      User.find_by(remember_token: cookies.permanent.encrypted[:remember_token])
+      ActiveSession.find_by(remember_token: cookies.permanent.encrypted[:remember_token])&.user
     end
   end
 
   def user_signed_in?
     Current.user.present?
   end
+
+  def store_location
+    session[:user_return_to] = request.original_url if request.get? && request.local?
+  end
 end

app/controllers/sessions_controller.rb

@@ -9,8 +9,8 @@ def create
         redirect_to new_confirmation_path, alert: "Incorrect email or password."
       else
         after_login_path = session[:user_return_to] || root_path
-        login @user
-        remember(@user) if params[:user][:remember_me] == "1"
+        active_session = login @user
+        remember(active_session) if params[:user][:remember_me] == "1"
         redirect_to after_login_path, notice: "Signed in."
       end
     else
@@ -20,7 +20,7 @@ def create
   end
 
   def destroy
-    forget(current_user)
+    forget_active_session
     logout
     redirect_to root_path, notice: "Signed out."
   end

app/controllers/users_controller.rb

@@ -20,6 +20,7 @@ def destroy
 
   def edit
     @user = current_user
+    @active_sessions = @user.active_sessions.order(created_at: :desc)
   end
 
   def new
@@ -28,6 +29,7 @@ def new
 
   def update
     @user = current_user
+    @active_sessions = @user.active_sessions.order(created_at: :desc)
     if @user.authenticate(params[:user][:current_password])
       if @user.update(update_user_params)
         if params[:user][:unconfirmed_email].present?

app/helpers/active_sessions_helper.rb

@@ -0,0 +1,2 @@
+module ActiveSessionsHelper
+end

app/models/active_session.rb

@@ -0,0 +1,5 @@
+class ActiveSession < ApplicationRecord
+  belongs_to :user
+
+  has_secure_token :remember_token
+end

app/models/user.rb

@@ -6,8 +6,8 @@ class User < ApplicationRecord
   attr_accessor :current_password
 
   has_secure_password
-  has_secure_token :remember_token
-  has_secure_token :session_token
+
+  has_many :active_sessions, dependent: :destroy
 
   before_save :downcase_email
   before_save :downcase_unconfirmed_email

app/views/active_sessions/_active_session.html.erb

@@ -0,0 +1,6 @@
+<tr>
+  <td><%= active_session.user_agent %></td>
+  <td><%= active_session.ip_address %></td>
+  <td><%= active_session.created_at %></td>
+  <td><%= button_to "Sign Out", active_session_path(active_session), method: :delete %></td>
+</tr>

app/views/sessions/new.html.erb

@@ -1,7 +1,7 @@
 <%= form_with url: login_path, scope: :user do |form| %>
   <div>
     <%= form.label :email %>
-    <%= form.text_field :email, required: true %>
+    <%= form.email_field :email, required: true %>
   </div>
   <div>
     <%= form.label :password %>

app/views/users/edit.html.erb

@@ -2,7 +2,7 @@
   <%= render partial: "shared/form_errors", locals: { object: form.object } %>
   <div>
     <%= form.label :email, "Current Email" %>
-    <%= form.text_field :email, disabled: true %>
+    <%= form.email_field :email, disabled: true %>
   </div>
   <div>
     <%= form.label :unconfirmed_email, "New Email" %>
@@ -22,4 +22,21 @@
     <%= form.password_field :current_password, required: true %>
   </div>
   <%= form.submit "Update Account" %>
+<% end %>
+<h2>Current Logins</h2>
+<% if @active_sessions.any? %> 
+  <%= button_to "Log out of all other sessions", destroy_all_active_sessions_path, method: :delete %>
+  <table>
+    <thead>
+      <tr>
+        <th>User Agent</th>
+        <th>IP Address</th>
+        <th>Signed In At</th>
+        <th>Sign Out</th>
+      </tr>
+    </thead>
+    <tbody>
+      <%= render @active_sessions %>
+    </tbody>
+  </table>
 <% end %>

app/views/users/new.html.erb

@@ -2,7 +2,7 @@
   <%= render partial: "shared/form_errors", locals: { object: form.object } %>
   <div>
     <%= form.label :email %>
-    <%= form.text_field :email, required: true %>
+    <%= form.email_field :email, required: true %>
   </div>
   <div>
     <%= form.label :password %>

config/routes.rb

@@ -10,4 +10,9 @@
   delete "logout", to: "sessions#destroy"
   get "login", to: "sessions#new"
   resources :passwords, only: [:create, :edit, :new, :update], param: :password_reset_token
+  resources :active_sessions, only: [:destroy] do
+    collection do
+      delete "destroy_all"
+    end
+  end
 end

db/migrate/20220129144819_create_active_sessions.rb

@@ -0,0 +1,9 @@
+class CreateActiveSessions < ActiveRecord::Migration[6.1]
+  def change
+    create_table :active_sessions do |t|
+      t.references :user, null: false, foreign_key: {on_delete: :cascade}
+
+      t.timestamps
+    end
+  end
+end

db/migrate/20220201102359_add_request_columns_to_active_sessions.rb

@@ -0,0 +1,6 @@
+class AddRequestColumnsToActiveSessions < ActiveRecord::Migration[6.1]
+  def change
+    add_column :active_sessions, :user_agent, :string
+    add_column :active_sessions, :ip_address, :string
+  end
+end

db/migrate/20220204201046_move_remember_token_from_users_to_active_sessions.rb

@@ -0,0 +1,10 @@
+# TODO: Remove comment
+# rails g migration move_remember_token_from_users_to_active_sessions
+class MoveRememberTokenFromUsersToActiveSessions < ActiveRecord::Migration[6.1]
+  def change
+    remove_column :users, :remember_token
+    add_column :active_sessions, :remember_token, :string, null: false
+
+    add_index :active_sessions, :remember_token, unique: true
+  end
+end

test/controllers/active_sessions_controller_test.rb

@@ -0,0 +1,68 @@
+require "test_helper"
+
+class ActiveSessionsControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    @confirmed_user = User.create!(email: "confirmed_user@example.com", password: "password", password_confirmation: "password", confirmed_at: Time.current)
+  end
+
+  test "should destroy all active sessions" do
+    login @confirmed_user
+    @confirmed_user.active_sessions.create!
+
+    assert_difference("ActiveSession.count", -2) do
+      delete destroy_all_active_sessions_path
+    end
+
+    assert_redirected_to root_path
+    assert_nil current_user
+    assert_not_nil flash[:notice]
+  end
+
+  test "should destroy all active sessions and forget active sessions" do
+    login @confirmed_user, remember_user: true
+    @confirmed_user.active_sessions.create!
+
+    assert_difference("ActiveSession.count", -2) do
+      delete destroy_all_active_sessions_path
+    end
+
+    assert_nil current_user
+    assert cookies[:remember_token].blank?
+  end
+
+  test "should destroy another session" do
+    login @confirmed_user
+    @confirmed_user.active_sessions.create!
+
+    assert_difference("ActiveSession.count", -1) do
+      delete active_session_path(@confirmed_user.active_sessions.last)
+    end
+
+    assert_redirected_to account_path
+    assert_not_nil current_user
+    assert_not_nil flash[:notice]
+  end
+
+  test "should destroy current session" do
+    login @confirmed_user
+
+    assert_difference("ActiveSession.count", -1) do
+      delete active_session_path(@confirmed_user.active_sessions.last)
+    end
+
+    assert_redirected_to root_path
+    assert_nil current_user
+    assert_not_nil flash[:notice]
+  end
+
+  test "should destroy current session and forget current active session" do
+    login @confirmed_user, remember_user: true
+
+    assert_difference("ActiveSession.count", -1) do
+      delete active_session_path(@confirmed_user.active_sessions.last)
+    end
+
+    assert_nil current_user
+    assert cookies[:remember_token].blank?
+  end
+end