• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

Unleash / unleash / 28652335770
87%
master: 91%

Build:
Build:
LAST BUILD BRANCH: main
DEFAULT BRANCH: master
Ran 03 Jul 2026 09:52AM UTC
Jobs 1
Files 1193
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

03 Jul 2026 09:42AM UTC coverage: 87.235% (-0.08%) from 87.311%
28652335770

push

github

web-flow
feat: add active sessions inspector

## What

Adds an admin-only **Active sessions** inspector (enterprise, gated
behind the `sessionInspector` flag) that lists all active user sessions
in the instance and lets an admin revoke them.

## Backend (enterprise)

- `UserSessionsController` with `GET` (list) and `DELETE /:id` (revoke),
ADMIN-only, reading from the OSS `sessionService`.
- Sessions are exposed via an **opaque, non-reversible `id`** (sha256 of
the sid) so the raw session token is never returned over the API; revoke
reverse-looks-up by that id.
- High-level **browser / device type** derived from the User-Agent at
read time (deliberately simple parser).

## Capture (oss)

- `sessionContextMiddleware` stamps the client **IP** and **User-Agent**
onto the session once per login.
- Capture is gated on the `sessionInspector` flag, **resolved per
request** so it can be toggled dynamically without an app restart.

## Frontend (oss)

- Active sessions table: short session id + green **Current** badge,
user, IP, browser, device, created and expiry columns, and a revoke
action with confirmation.
- Security banner links to the inspector when the flag is enabled.

## Tests

- `user-sessions-mapper.test.ts` — unit tests for the UA parser and
mapper (no DB/license needed).
- `user-sessions-controller.e2e.test.ts` — list, revoke, 404, auth, and
flag-gating.

## Notes / risks

- Only **new logins** capture IP/UA; pre-existing sessions show blank
until re-auth.
- List and revoke load all active sessions (admin-only, low frequency);
no pagination yet — a consideration for very large instances.
- Now persists IP + User-Agent on admin sessions when the flag is on
(privacy/PII consideration).
- Runtime uses OSS's built `dist`; a normal OSS build is required for
the middleware to take effect.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

1913 of 2117 branches covered (90.36%)

5 of 14 new or added lines in 2 files covered. (35.71%)

7 existing lines in 2 files now uncovered.

15377 of 17627 relevant lines covered (87.24%)

904.84 hits per line

Uncovered Changes

Lines Coverage ∆ File
9
30.77
src/lib/middleware/session-context.ts

Coverage Regressions

Lines Coverage ∆ File
6
81.36
-4.24% src/lib/features/playground/feature-evaluator/constraint.ts
1
89.58
-2.08% src/lib/features/frontend-api/client-feature-toggle-read-model.ts
Jobs
ID Job ID Ran Files Coverage
1 28652335770.1 03 Jul 2026 09:52AM UTC 1193
87.24
GitHub Action Run
Source Files on build 28652335770
  • Tree
  • List 1193
  • Changed 4
  • Source Changed 2
  • Coverage Changed 4
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses
  • Back to Repo
  • Github Actions Build #28652335770
  • 74792a97 on github
  • Prev Build on main (#28634748727)
  • Next Build on main (#28678028503)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc