feat(api): invalidate sessions on user deactivation (MS21-AUTH-004)

2026-02-28 17:29:37 -06:00
2 changed files with 13 additions and 38 deletions
--- a/apps/api/src/admin/admin.service.ts
+++ b/apps/api/src/admin/admin.service.ts
@@ -192,19 +192,22 @@ export class AdminService {
      throw new BadRequestException(`User ${id} is already deactivated`);
    }

-    const user = await this.prisma.user.update({
-      where: { id },
-      data: { deactivatedAt: new Date() },
-      include: {
-        workspaceMemberships: {
-          include: {
-            workspace: { select: { id: true, name: true } },
+    const [user] = await this.prisma.$transaction([
+      this.prisma.user.update({
+        where: { id },
+        data: { deactivatedAt: new Date() },
+        include: {
+          workspaceMemberships: {
+            include: {
+              workspace: { select: { id: true, name: true } },
+            },
          },
        },
-      },
-    });
+      }),
+      this.prisma.session.deleteMany({ where: { userId: id } }),
+    ]);

-    this.logger.log(`User deactivated: ${id}`);
+    this.logger.log(`User deactivated and sessions invalidated: ${id}`);

    return {
      id: user.id,
--- a/apps/web/src/app/(authenticated)/settings/users/page.tsx
+++ b/apps/web/src/app/(authenticated)/settings/users/page.tsx
@@ -42,7 +42,6 @@ import {
  AlertDialogHeader,
  AlertDialogTitle,
 } from "@/components/ui/alert-dialog";
-import { fetchUserWorkspaces } from "@/lib/api/workspaces";
 import {
  deactivateUser,
  fetchAdminUsers,
@@ -106,8 +105,6 @@ export default function UsersSettingsPage(): ReactElement {
  const [editError, setEditError] = useState<string | null>(null);
  const [isEditing, setIsEditing] = useState<boolean>(false);

-  const [isAdmin, setIsAdmin] = useState<boolean | null>(null);
-
  const loadUsers = useCallback(async (showLoadingState: boolean): Promise<void> => {
    try {
      if (showLoadingState) {
@@ -132,20 +129,6 @@ export default function UsersSettingsPage(): ReactElement {
    void loadUsers(true);
  }, [loadUsers]);

-  useEffect(() => {
-    fetchUserWorkspaces()
-      .then((workspaces) => {
-        const adminRoles: WorkspaceMemberRole[] = [
-          WorkspaceMemberRole.OWNER,
-          WorkspaceMemberRole.ADMIN,
-        ];
-        setIsAdmin(workspaces.some((ws) => adminRoles.includes(ws.role)));
-      })
-      .catch(() => {
-        setIsAdmin(true); // fail open
-      });
-  }, []);
-
  function resetInviteForm(): void {
    setInviteForm(INITIAL_INVITE_FORM);
    setInviteError(null);
@@ -229,17 +212,6 @@ export default function UsersSettingsPage(): ReactElement {
    }
  }

-  if (isAdmin === false) {
-    return (
-      <div className="p-8 max-w-2xl">
-        <div className="rounded-lg border border-red-200 bg-red-50 p-6 text-center">
-          <p className="text-lg font-semibold text-red-700">Access Denied</p>
-          <p className="mt-2 text-sm text-red-600">You need Admin or Owner role to manage users.</p>
-        </div>
-      </div>
-    );
-  }
-
  return (
    <div className="max-w-6xl mx-auto p-6 space-y-6">
      <div className="flex items-start justify-between gap-4">