Add session management with revocation capabilities and security fix

[tjementum]

Summary & Motivation

Add user session management functionality allowing users to view and revoke active sessions across all devices and accounts. Sessions are queried across all accounts for the user's email address using unfiltered repository methods and displayed with device information, browser details, IP address, and account name in a modal dialog accessible from the user menu. Each session can be individually revoked with confirmation dialogs to prevent accidental sign-outs. Session revocation validates ownership by email instead of user ID, ensuring users can revoke sessions across all their accounts.

The implementation includes a critical security fix discovered during development:

• Fix session lifetime extension vulnerability: Switching accounts previously created a new 90-day session, allowing infinite session extension. Current session is now revoked when switching accounts, and the new session preserves the original expiry date through a computed ExpiresAt property on the Session aggregate and token generation overloads that accept custom expiry parameters.

Backend changes include session revocation endpoints with tests, repository methods for unfiltered session queries, SwitchTenant added to SessionRevokedReason enum, and RefreshTokenGenerator.ValidForHours made public as the single source of truth. Frontend changes include SessionsModal component with device type detection, user agent parsing, Smart Date formatting, confirmation dialogs, and E2E tests covering session viewing, individual revocation, and cross-account scenarios.

Checklist

• I have added tests, or done manual regression tests
• I have updated the documentation, if necessary

[linear]

PP-747 Frontend for session management

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
2 Accepted issues

Measures
0 Security Hotspots
47.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud