feat(api): invalidate sessions on user deactivation (MS21-AUTH-004)

2026-02-28 17:38:14 -06:00
3 changed files with 25 additions and 44 deletions
--- a/apps/api/src/admin/admin.service.spec.ts
+++ b/apps/api/src/admin/admin.service.spec.ts
@@ -24,7 +24,15 @@ describe("AdminService", () => {
    workspaceMember: {
      create: vi.fn(),
    },
-    $transaction: vi.fn(),
+    session: {
+      deleteMany: vi.fn(),
+    },
+    $transaction: vi.fn(async (ops) => {
+      if (typeof ops === "function") {
+        return ops(mockPrismaService);
+      }
+      return Promise.all(ops);
+    }),
  };

  const mockAdminId = "550e8400-e29b-41d4-a716-446655440001";
@@ -82,10 +90,6 @@ describe("AdminService", () => {
    service = module.get<AdminService>(AdminService);

    vi.clearAllMocks();
-
-    mockPrismaService.$transaction.mockImplementation(async (fn: (tx: unknown) => unknown) => {
-      return fn(mockPrismaService);
-    });
  });

  it("should be defined", () => {
@@ -325,12 +329,13 @@ describe("AdminService", () => {
  });

  describe("deactivateUser", () => {
-    it("should set deactivatedAt on the user", async () => {
+    it("should set deactivatedAt and invalidate sessions", async () => {
      mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
      mockPrismaService.user.update.mockResolvedValue({
        ...mockUser,
        deactivatedAt: new Date(),
      });
+      mockPrismaService.session.deleteMany.mockResolvedValue({ count: 3 });

      const result = await service.deactivateUser(mockUserId);

@@ -341,6 +346,7 @@ describe("AdminService", () => {
          data: { deactivatedAt: expect.any(Date) },
        })
      );
+      expect(mockPrismaService.session.deleteMany).toHaveBeenCalledWith({ where: { userId: mockUserId } });
    });

    it("should throw NotFoundException if user does not exist", async () => {
--- a/apps/api/src/admin/admin.service.ts
+++ b/apps/api/src/admin/admin.service.ts
@@ -192,19 +192,22 @@ export class AdminService {
      throw new BadRequestException(`User ${id} is already deactivated`);
    }

-    const user = await this.prisma.user.update({
-      where: { id },
-      data: { deactivatedAt: new Date() },
-      include: {
-        workspaceMemberships: {
-          include: {
-            workspace: { select: { id: true, name: true } },
+    const [user] = await this.prisma.$transaction([
+      this.prisma.user.update({
+        where: { id },
+        data: { deactivatedAt: new Date() },
+        include: {
+          workspaceMemberships: {
+            include: {
+              workspace: { select: { id: true, name: true } },
+            },
          },
        },
-      },
-    });
+      }),
+      this.prisma.session.deleteMany({ where: { userId: id } }),
+    ]);

-    this.logger.log(`User deactivated: ${id}`);
+    this.logger.log(`User deactivated and sessions invalidated: ${id}`);

    return {
      id: user.id,
--- a/apps/web/src/app/(authenticated)/settings/users/page.tsx
+++ b/apps/web/src/app/(authenticated)/settings/users/page.tsx
@@ -42,7 +42,6 @@ import {
  AlertDialogHeader,
  AlertDialogTitle,
 } from "@/components/ui/alert-dialog";
-import { fetchUserWorkspaces } from "@/lib/api/workspaces";
 import {
  deactivateUser,
  fetchAdminUsers,
@@ -106,8 +105,6 @@ export default function UsersSettingsPage(): ReactElement {
  const [editError, setEditError] = useState<string | null>(null);
  const [isEditing, setIsEditing] = useState<boolean>(false);

-  const [isAdmin, setIsAdmin] = useState<boolean | null>(null);
-
  const loadUsers = useCallback(async (showLoadingState: boolean): Promise<void> => {
    try {
      if (showLoadingState) {
@@ -132,20 +129,6 @@ export default function UsersSettingsPage(): ReactElement {
    void loadUsers(true);
  }, [loadUsers]);

-  useEffect(() => {
-    fetchUserWorkspaces()
-      .then((workspaces) => {
-        const adminRoles: WorkspaceMemberRole[] = [
-          WorkspaceMemberRole.OWNER,
-          WorkspaceMemberRole.ADMIN,
-        ];
-        setIsAdmin(workspaces.some((ws) => adminRoles.includes(ws.role)));
-      })
-      .catch(() => {
-        setIsAdmin(true); // fail open
-      });
-  }, []);
-
  function resetInviteForm(): void {
    setInviteForm(INITIAL_INVITE_FORM);
    setInviteError(null);
@@ -229,17 +212,6 @@ export default function UsersSettingsPage(): ReactElement {
    }
  }

-  if (isAdmin === false) {
-    return (
-      <div className="p-8 max-w-2xl">
-        <div className="rounded-lg border border-red-200 bg-red-50 p-6 text-center">
-          <p className="text-lg font-semibold text-red-700">Access Denied</p>
-          <p className="mt-2 text-sm text-red-600">You need Admin or Owner role to manage users.</p>
-        </div>
-      </div>
-    );
-  }
-
  return (
    <div className="max-w-6xl mx-auto p-6 space-y-6">
      <div className="flex items-start justify-between gap-4">