Skip to main content
GET
/
auth
/
sessions
List Sessions
curl --request GET \
  --url https://auth.nullpass.xyz/api/auth/sessions \
  --header 'Authorization: Bearer <token>'
{
  "sessions": [
    {
      "id": "<string>",
      "ip": "<string>",
      "userAgent": "<string>",
      "createdAt": "2023-11-07T05:31:56Z",
      "expiresAt": "2023-11-07T05:31:56Z"
    }
  ]
}

Endpoints

GET /api/auth/sessions
DELETE /api/auth/sessions

GET /api/auth/sessions

Retrieves all active sessions for the authenticated user. IP addresses are decrypted before returning.

Response

sessions
array
Array of active session objects

DELETE /api/auth/sessions

Deletes one or all sessions for the authenticated user.

Query Parameters

id
string
Optional. Session ID to delete. If omitted, deletes all sessions.

Response

success
boolean
Always true on success

Implementation Details

Code Reference

export async function GET(request: NextRequest) {
  const corsResponse = handleCors(request)
  if (corsResponse) return corsResponse

  const blocked = await protectRoute(request)
  if (blocked) return blocked

  const auth = await requireAuth(request)
  if ('error' in auth) return auth.error

  try {
    const sessions = await prisma.session.findMany({
      where: {
        userId: auth.userId,
        expiresAt: { gt: new Date() },
      },
      orderBy: { createdAt: 'desc' },
      select: {
        id: true,
        ip: true,
        createdAt: true,
        expiresAt: true,
      },
    })

    const sessionsWithDecryptedIp = sessions.map(session => ({
      ...session,
      ip: decryptIp(session.ip, auth.userId),
    }))

    return jsonResponse({ sessions: sessionsWithDecryptedIp }, 200, request.headers.get('origin'))
  } catch (error) {
    logger.error('Get sessions error:', error)
    return errorResponse('Internal server error', 500, request.headers.get('origin'))
  }
}

export async function DELETE(request: NextRequest) {
  const corsResponse = handleCors(request)
  if (corsResponse) return corsResponse

  const blocked = await protectRoute(request)
  if (blocked) return blocked

  const auth = await requireAuth(request)
  if ('error' in auth) return auth.error

  try {
    const { searchParams } = new URL(request.url)
    const sessionId = searchParams.get('id')

    if (sessionId) {
      await prisma.session.deleteMany({
        where: {
          id: sessionId,
          userId: auth.userId,
        },
      })
      await createAuditLog(auth.userId, 'SESSION_DELETE', {
        sessionId,
      })
    } else {
      await prisma.session.deleteMany({
        where: { userId: auth.userId },
      })
      await createAuditLog(auth.userId, 'USER_LOGOUT', {
        allSessions: true,
      })
    }

    return jsonResponse({ success: true }, 200, request.headers.get('origin'))
  } catch (error) {
    logger.error('Delete session error:', error)
    return errorResponse('Internal server error', 500, request.headers.get('origin'))
  }
}

Status Codes

200
OK
Success
401
Unauthorized
Missing or invalid authentication token

Example Requests

Get All Sessions

curl -X GET https://auth.nullpass.xyz/api/auth/sessions \
  -H "Authorization: Bearer YOUR_TOKEN"

Delete Specific Session

curl -X DELETE "https://auth.nullpass.xyz/api/auth/sessions?id=session_id_here" \
  -H "Authorization: Bearer YOUR_TOKEN"

Delete All Sessions

curl -X DELETE https://auth.nullpass.xyz/api/auth/sessions \
  -H "Authorization: Bearer YOUR_TOKEN"

Example Response (GET)

{
  "sessions": [
    {
      "id": "clx1234567890",
      "ip": "192.168.1.1",
      "createdAt": "2024-01-01T00:00:00.000Z",
      "expiresAt": "2024-01-08T00:00:00.000Z"
    },
    {
      "id": "clx0987654321",
      "ip": "10.0.0.1",
      "createdAt": "2024-01-02T00:00:00.000Z",
      "expiresAt": "2024-01-09T00:00:00.000Z"
    }
  ]
}

Security Notes

  • Only active (non-expired) sessions are returned
  • IP addresses are encrypted in database but decrypted for display
  • Users can only view/delete their own sessions
  • Deleting all sessions effectively logs out the user from all devices

Audit Events

  • SESSION_DELETE: Single session deleted (includes sessionId)
  • USER_LOGOUT: All sessions deleted (includes allSessions: true)

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Response

200 - application/json

List of sessions

sessions
object[]