(feat: `anon/backend`) : Session Management: Logout, Refresh, Device Revocation

[polopulao]

For any queries, or anything, join out [Telegram Group](https://t.me/shogenlabs) or contact [Poulav](https://t.me/impoulav), [Soham](https://t.me/tosoham) or [Rahul](https://t.me/darkdanate)

Title

Session Management: Logout, Refresh, Device Revocation

Description

• Type of Issue: Feature / Backend / API / Security

• Directory: anon/backend

• Task :

  • Endpoints: POST /auth/logout, POST /auth/refresh, GET /me/sessions, DELETE /me/sessions/{session_id}.
  • Rotate refresh tokens; HttpOnly cookies; revoke on logout or device removal.
  • Add IP/UA fingerprint (hashed) to sessions; expose last active time.

• Current:

  • Single sign-in flow only; no lifecycle controls.

• Expected:

  • Users can end sessions, refresh safely, and view their active devices.

---

[tusharshah21]

Hey @polopulao could take a look into it, can you assign this to me?

[Dprof-in-tech]

hello @polopulao @PoulavBhowmick03 , I am Isaac and I am a part of the OnlyDust fellowship. i would love to work on this issue. ETA 24 hours