fix(auth): add web session pepper revocation (#2788)

* fix(auth): add web session pepper revocation

* fix(auth): separate browser session sign-out

* fix(auth): rotate peppers on soft delete

* fix(auth): preserve legacy web session revocation

* chore(db): drop stale web session migration

* fix(auth): regenerate web session migration

Author: RSO

apps/web/src/app/(app)/components/SidebarUserFooter.tsx

@@ -20,7 +20,11 @@ type SidebarUserFooterProps = {
 
 export default function SidebarUserFooter({ user, isLoading }: SidebarUserFooterProps) {
   const handleLogout = async () => {
-    await signOut({ callbackUrl: '/' });
+    try {
+      await fetch('/api/auth/revoke-web-session', { method: 'POST' });
+    } finally {
+      await signOut({ callbackUrl: '/' });
+    }
   };
 
   // Get user initials for avatar fallback

apps/web/src/app/admin/components/UserAdmin/ResetAPIKeyButton.tsx

@@ -41,7 +41,7 @@ export default function ResetAPIKeyButton({ userId }: { userId: string }) {
           <DialogTitle>Reset API keys</DialogTitle>
           <DialogDescription>
             Are you sure that you want to reset the API keys for this user? This action can not be
-            undone!
+            undone. Browser sessions will stay signed in.
           </DialogDescription>
         </DialogHeader>
 

apps/web/src/app/admin/components/UserAdmin/SignOutBrowserSessionsButton.tsx

@@ -0,0 +1,67 @@
+'use client';
+
+import { useState } from 'react';
+import { Button } from '@/components/ui/button';
+import {
+  Dialog,
+  DialogClose,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+  DialogTrigger,
+} from '@/components/ui/dialog';
+import { useMutation } from '@tanstack/react-query';
+import { useTRPC } from '@/lib/trpc/utils';
+import { toast } from 'sonner';
+
+export default function SignOutBrowserSessionsButton({ userId }: { userId: string }) {
+  const [isDialogOpen, setDialogOpen] = useState(false);
+  const trpc = useTRPC();
+
+  const signOutBrowserSessionsMutation = useMutation(
+    trpc.admin.users.signOutBrowserSessions.mutationOptions({
+      onSuccess: () => {
+        toast.success('Browser sessions were successfully signed out!');
+        setDialogOpen(false);
+      },
+    })
+  );
+
+  return (
+    <Dialog open={isDialogOpen} onOpenChange={setDialogOpen}>
+      <DialogTrigger asChild>
+        <Button size="sm" variant="outline">
+          Sign out browser sessions
+        </Button>
+      </DialogTrigger>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>Sign out browser sessions</DialogTitle>
+          <DialogDescription>
+            Are you sure that you want to sign out all browser sessions for this user? CLI, VS Code,
+            JetBrains, and other API tokens will continue to work.
+          </DialogDescription>
+        </DialogHeader>
+
+        <DialogFooter>
+          <DialogClose asChild>
+            <Button variant="outline" disabled={signOutBrowserSessionsMutation.isPending}>
+              Cancel
+            </Button>
+          </DialogClose>
+          <Button
+            variant="destructive"
+            onClick={() => signOutBrowserSessionsMutation.mutate({ userId })}
+            disabled={signOutBrowserSessionsMutation.isPending}
+          >
+            {signOutBrowserSessionsMutation.isPending
+              ? 'Signing out...'
+              : 'Sign Out Browser Sessions'}
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}

apps/web/src/app/admin/components/UserAdmin/UserAdminAccountInfo.tsx

@@ -8,6 +8,7 @@ import { formatDate } from '@/lib/admin-utils';
 import type { UserDetailProps } from '@/types/admin';
 import ResetAPIKeyButton from './ResetAPIKeyButton';
 import ResetToMagicLinkLoginButton from './ResetToMagicLinkLoginButton';
+import SignOutBrowserSessionsButton from './SignOutBrowserSessionsButton';
 import { Button } from '@/components/ui/button';
 import Link from 'next/link';
 import { SquareArrowOutUpRight, Webhook } from 'lucide-react';
@@ -56,6 +57,7 @@ export function UserAdminAccountInfo(user: UserAdminAccountInfoProps) {
           <div className="flex flex-wrap items-center gap-2">
             <UserStatusBadge is_detail={true} user={user} />
             <PaymentMethodStatusBadge paymentMethodStatus={user.paymentMethodStatus} />
+            <SignOutBrowserSessionsButton userId={user.id} />
             <ResetAPIKeyButton userId={user.id} />
             {!user.is_sso_protected_domain && <ResetToMagicLinkLoginButton userId={user.id} />}
             <Button variant="outline" size="sm" asChild>

apps/web/src/app/api/auth/revoke-web-session/route.ts

@@ -0,0 +1,17 @@
+import { successResult } from '@/lib/maybe-result';
+import { getUserFromAuth } from '@/lib/user.server';
+import { revokeWebSessions } from '@/lib/web-session-revocation';
+import { NextResponse } from 'next/server';
+
+export async function POST() {
+  const { user } = await getUserFromAuth({
+    adminOnly: false,
+    DANGEROUS_allowBlockedUsers: true,
+  });
+
+  if (user) {
+    await revokeWebSessions(user.id);
+  }
+
+  return NextResponse.json(successResult());
+}

apps/web/src/app/api/cloud-agent/sessions/prepare/route.test.ts

@@ -84,6 +84,7 @@ function createMockUser(overrides: Partial<User> = {}): User {
     blocked_at: null,
     blocked_by_kilo_user_id: null,
     api_token_pepper: 'test-pepper',
+    web_session_pepper: null,
     auto_top_up_enabled: false,
     stripe_customer_id: 'cus_test123',
     microdollars_used: 0,

apps/web/src/app/auto-signout/page.tsx

@@ -10,7 +10,13 @@ export default function AutoSignOutPage() {
   }
 
   useEffect(() => {
-    void signOut({ callbackUrl: '/profile' });
+    void (async () => {
+      try {
+        await fetch('/api/auth/revoke-web-session', { method: 'POST' });
+      } finally {
+        await signOut({ callbackUrl: '/profile' });
+      }
+    })();
   }, []);
 
   return (

apps/web/src/components/dev/actions.ts

@@ -4,6 +4,7 @@ import { redirect } from 'next/navigation';
 import { findUserById, softDeleteUser } from '@/lib/user';
 import { deleteStripeCustomer } from '@/lib/stripe-client';
 import { captureException } from '@sentry/nextjs';
+import { revokeWebSessions } from '@/lib/web-session-revocation';
 
 export async function nuke(kiloUserId: string) {
   try {
@@ -12,6 +13,7 @@ export async function nuke(kiloUserId: string) {
       throw new Error(`User not found: ${kiloUserId}`);
     }
 
+    await revokeWebSessions(kiloUserId);
     await softDeleteUser(kiloUserId);
     await deleteStripeCustomer(user.stripe_customer_id);
   } catch (error) {

apps/web/src/components/profile/ResetAPITokenDialog.tsx

@@ -24,8 +24,8 @@ export function ResetAPITokenDialog() {
   const resetAPIKeyMutation = useMutation(
     trpc.user.resetAPIKey.mutationOptions({
       onSuccess: () => {
-        toast.success('API token reset successfully. Redirecting to sign-in page...');
-        router.push('/users/sign_in');
+        toast.success('API token reset successfully. Refreshing token...');
+        router.refresh();
       },
     })
   );
@@ -35,22 +35,21 @@ export function ResetAPITokenDialog() {
       <DialogTrigger asChild>
         <Button variant="outline" size="sm" className="text-destructive hover:bg-destructive">
           <RotateCcw className="mr-2 h-4 w-4" />
-          Reset Token and Sign Out
+          Reset API Token
         </Button>
       </DialogTrigger>
       <DialogContent className="sm:max-w-[425px]">
         <DialogHeader>
           <DialogTitle className="flex items-center gap-2 text-orange-600">
             <AlertTriangle className="h-5 w-5" />
-            Reset all API tokens and sign out everywhere.
+            Reset all API tokens?
           </DialogTitle>
           <DialogDescription className="text-muted-foreground pt-3">
             <strong className="text-foreground">This action cannot be undone.</strong>
             <br />
             <br />
-            Resetting your API token will invalidate all existing tokens. You will also be signed
-            out of all sessions. If you procees, you will need to sign in again and then re-open in
-            VS Code and/or other Kilo Code extensions.
+            Resetting your API token will invalidate all existing CLI, VS Code, JetBrains, and other
+            API tokens. Browser sessions will stay signed in.
           </DialogDescription>
         </DialogHeader>
         <DialogFooter className="gap-2 sm:gap-0">
@@ -69,7 +68,7 @@ export function ResetAPITokenDialog() {
             onClick={() => resetAPIKeyMutation.mutate()}
             disabled={resetAPIKeyMutation.isPending}
           >
-            {resetAPIKeyMutation.isPending ? 'Resetting...' : 'Reset API Token and Sign Out'}
+            {resetAPIKeyMutation.isPending ? 'Resetting...' : 'Reset API Token'}
           </Button>
         </DialogFooter>
       </DialogContent>

apps/web/src/components/profile/SignOutBrowserSessionsDialog.tsx

@@ -0,0 +1,75 @@
+'use client';
+
+import { Button } from '@/components/ui/button';
+import {
+  Dialog,
+  DialogClose,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+  DialogTrigger,
+} from '@/components/ui/dialog';
+import { AlertTriangle, LogOut } from 'lucide-react';
+import { useTRPC } from '@/lib/trpc/utils';
+import { useMutation } from '@tanstack/react-query';
+import { toast } from 'sonner';
+import { signOut } from 'next-auth/react';
+
+export function SignOutBrowserSessionsDialog() {
+  const trpc = useTRPC();
+
+  const signOutBrowserSessionsMutation = useMutation(
+    trpc.user.signOutBrowserSessions.mutationOptions({
+      onSuccess: async () => {
+        toast.success('Browser sessions signed out. Redirecting to sign-in page...');
+        await signOut({ callbackUrl: '/users/sign_in' });
+      },
+    })
+  );
+
+  return (
+    <Dialog>
+      <DialogTrigger asChild>
+        <Button variant="outline" size="sm">
+          <LogOut className="mr-2 h-4 w-4" />
+          Sign Out Browser Sessions
+        </Button>
+      </DialogTrigger>
+      <DialogContent className="sm:max-w-[425px]">
+        <DialogHeader>
+          <DialogTitle className="flex items-center gap-2 text-orange-600">
+            <AlertTriangle className="h-5 w-5" />
+            Sign out all browser sessions?
+          </DialogTitle>
+          <DialogDescription className="text-muted-foreground pt-3">
+            This will sign you out of Kilo Code in every browser, including this one. CLI, VS Code,
+            JetBrains, and other API tokens will continue to work.
+          </DialogDescription>
+        </DialogHeader>
+        <DialogFooter className="gap-2 sm:gap-0">
+          <DialogClose asChild>
+            <Button
+              variant="secondary"
+              className="w-full sm:w-auto"
+              disabled={signOutBrowserSessionsMutation.isPending}
+            >
+              Cancel
+            </Button>
+          </DialogClose>
+          <Button
+            variant="destructive"
+            className="w-full sm:w-auto"
+            onClick={() => signOutBrowserSessionsMutation.mutate()}
+            disabled={signOutBrowserSessionsMutation.isPending}
+          >
+            {signOutBrowserSessionsMutation.isPending
+              ? 'Signing out...'
+              : 'Sign Out Browser Sessions'}
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}