Session Management

Short-lived access tokens alone are insufficient for security incidents - if a refresh token is compromised, an attacker retains persistent access until the token chain expires naturally. Forced session revocation closes this window immediately and is a standard control expected by enterprise and public-sector customers. For the Meander platform, where peer mentors may share devices or lose phones containing stored tokens, coordinators and org admins need the ability to remotely invalidate sessions without requiring a password reset. This feature also satisfies the GDPR right to erasure boundary: when a user account is deactivated, all active sessions must be terminable on demand to prevent residual access to personal data.

The sessions and refresh_tokens tables already exist in the schema. The SessionRevocationService implements soft-deletion by setting a revoked_at timestamp on the refresh_tokens row and cascading to child tokens. The API HTTP client in the mobile app handles 401 responses by attempting one token refresh; if the refresh token is also revoked, the client clears local credentials and redirects to the login screen. The Active Sessions page is a Next.js SSR page listing sessions per user with a revoke action. Revocation endpoints must require the caller to have Org Admin or Global Admin role, and revocation actions must be written to the audit log. Bulk revocation (revoke all sessions for a user) should be a single atomic operation. Consider adding a last_seen_at column to sessions for display purposes without requiring a write on every API call.