fix: session invalid issue (#9301)

* feat(auth): Enhanced device login session management

- Upon login, obtain and verify `Client-Id` to ensure unique device sessions.
- If there are too many device sessions, clean up old ones according to the configured policy or return an error.
- If a device session is invalid, deregister the old token and return a 401 error.
- Added `EnsureActiveOnLogin` function to handle the creation and refresh of device sessions during login.

* feat(session): Modified session deletion logic to mark sessions as inactive.

- Changed session deletion logic to mark sessions as inactive using the `MarkInactive` method.
- Adjusted error handling to ensure an error is returned if marking fails.

* feat(session): Added device limits and eviction policies

- Added a device limit, controlling the maximum number of devices using the `MaxDevices` configuration option.
- If the number of devices exceeds the limit, the configured eviction policy is used.
- If the policy is `evict_oldest`, the oldest device is evicted.
- Otherwise, an error message indicating too many devices is returned.

* refactor(session): Filter for the user's oldest active session

- Renamed `GetOldestSession` to `GetOldestActiveSession` to more accurately reflect its functionality
- Updated the SQL query to add the `status = SessionActive` condition to retrieve only active sessions
- Replaced all callpoints and unified the new function name to ensure logical consistency

README.md

@@ -121,8 +121,6 @@ https://alistgo.com/guide/sponsor.html
 ### Special sponsors
 
 - [VidHub](https://apps.apple.com/app/apple-store/id1659622164?pt=118612019&ct=alist&mt=8) - An elegant cloud video player within the Apple ecosystem. Support for iPhone, iPad, Mac, and Apple TV.
-- [亚洲云](https://www.asiayun.com/aff/QQCOOQKZ) - 高防服务器|服务器租用|福州高防|广东电信|香港服务器|美国服务器|海外服务器 - 国内靠谱的企业级云计算服务提供商 (sponsored Chinese API server)
-- [找资源](http://zhaoziyuan2.cc/) - 阿里云盘资源搜索引擎
 
 ## Contributors
 

README_cn.md

@@ -118,8 +118,6 @@ AList 是一个开源软件，如果你碰巧喜欢这个项目，并希望我
 ### 特别赞助
 
 - [VidHub](https://apps.apple.com/app/apple-store/id1659622164?pt=118612019&ct=alist&mt=8) - 苹果生态下优雅的网盘视频播放器，iPhone，iPad，Mac，Apple TV全平台支持。
-- [亚洲云](https://www.asiayun.com/aff/QQCOOQKZ) - 高防服务器|服务器租用|福州高防|广东电信|香港服务器|美国服务器|海外服务器 - 国内靠谱的企业级云计算服务提供商 (国内API服务器赞助)
-- [找资源](http://zhaoziyuan2.cc/) - 阿里云盘资源搜索引擎
 
 ## 贡献者
 

README_ja.md

@@ -120,8 +120,6 @@ https://alistgo.com/guide/sponsor.html
 ### スペシャルスポンサー
 
 - [VidHub](https://apps.apple.com/app/apple-store/id1659622164?pt=118612019&ct=alist&mt=8) - An elegant cloud video player within the Apple ecosystem. Support for iPhone, iPad, Mac, and Apple TV.
-- [亚洲云](https://www.asiayun.com/aff/QQCOOQKZ) - 高防服务器|服务器租用|福州高防|广东电信|香港服务器|美国服务器|海外服务器 - 国内靠谱的企业级云计算服务提供商 (sponsored Chinese API server)
-- [找资源](http://zhaoziyuan2.cc/) - 阿里云盘资源搜索引擎
 
 ## コントリビューター
 

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/KirCute/ftpserverlib-pasvportmap v1.25.0
 	github.com/KirCute/sftpd-alist v0.0.12
 	github.com/ProtonMail/go-crypto v1.0.0
-	github.com/SheltonZhu/115driver v1.0.34
+	github.com/SheltonZhu/115driver v1.1.2
 	github.com/Xhofe/go-cache v0.0.0-20240804043513-b1a71927bc21
 	github.com/Xhofe/rateg v0.0.0-20230728072201-251a4e1adad4
 	github.com/alist-org/gofakes3 v0.0.7
@@ -265,4 +265,4 @@ require (
 	lukechampine.com/blake3 v1.1.7 // indirect
 )
 
-// replace github.com/xhofe/115-sdk-go => ../../xhofe/115-sdk-go
+replace github.com/SheltonZhu/115driver => github.com/okatu-loli/115driver v1.1.2

go.sum

@@ -46,8 +46,6 @@ github.com/RoaringBitmap/roaring v1.9.3 h1:t4EbC5qQwnisr5PrP9nt0IRhRTb9gMUgQF4t4
 github.com/RoaringBitmap/roaring v1.9.3/go.mod h1:6AXUsoIEzDTFFQCe1RbGA6uFONMhvejWj5rqITANK90=
 github.com/STARRY-S/zip v0.2.1 h1:pWBd4tuSGm3wtpoqRZZ2EAwOmcHK6XFf7bU9qcJXyFg=
 github.com/STARRY-S/zip v0.2.1/go.mod h1:xNvshLODWtC4EJ702g7cTYn13G53o1+X9BWnPFpcWV4=
-github.com/SheltonZhu/115driver v1.0.34 h1:zhMLp4vgq7GksqvSxQQDOVfK6EOHldQl4b2n8tnZ+EE=
-github.com/SheltonZhu/115driver v1.0.34/go.mod h1:rKvNd4Y4OkXv1TMbr/SKjGdcvMQxh6AW5Tw9w0CJb7E=
 github.com/Unknwon/goconfig v1.0.0 h1:9IAu/BYbSLQi8puFjUQApZTxIHqSwrj5d8vpP8vTq4A=
 github.com/Unknwon/goconfig v1.0.0/go.mod h1:wngxua9XCNjvHjDiTiV26DaKDT+0c63QR6H5hjVUUxw=
 github.com/Xhofe/go-cache v0.0.0-20240804043513-b1a71927bc21 h1:h6q5E9aMBhhdqouW81LozVPI1I+Pu6IxL2EKpfm5OjY=
@@ -490,6 +488,8 @@ github.com/ncw/swift/v2 v2.0.3 h1:8R9dmgFIWs+RiVlisCEfiQiik1hjuR0JnOkLxaP9ihg=
 github.com/ncw/swift/v2 v2.0.3/go.mod h1:cbAO76/ZwcFrFlHdXPjaqWZ9R7Hdar7HpjRXBfbjigk=
 github.com/nwaples/rardecode/v2 v2.0.0-beta.4.0.20241112120701-034e449c6e78 h1:MYzLheyVx1tJVDqfu3YnN4jtnyALNzLvwl+f58TcvQY=
 github.com/nwaples/rardecode/v2 v2.0.0-beta.4.0.20241112120701-034e449c6e78/go.mod h1:yntwv/HfMc/Hbvtq9I19D1n58te3h6KsqCf3GxyfBGY=
+github.com/okatu-loli/115driver v1.1.2 h1:XZT3r/51SZRQGzre2IeA+0/k4T1FneqArdhE4Wd600Q=
+github.com/okatu-loli/115driver v1.1.2/go.mod h1:rKvNd4Y4OkXv1TMbr/SKjGdcvMQxh6AW5Tw9w0CJb7E=
 github.com/otiai10/copy v1.14.0 h1:dCI/t1iTdYGtkvCuBG2BgR6KZa83PTclw4U5n2wAllU=
 github.com/otiai10/copy v1.14.0/go.mod h1:ECfuL02W+/FkTWZWgQqXPWZgW9oeKCSQ5qVfSc4qc4w=
 github.com/otiai10/mint v1.5.1 h1:XaPLeE+9vGbuyEHem1JNk3bYc7KKqyI/na0/mLd/Kks=

internal/bootstrap/data/setting.go

@@ -165,6 +165,9 @@ func InitialSettings() []model.SettingItem {
 		{Key: conf.ForwardDirectLinkParams, Value: "false", Type: conf.TypeBool, Group: model.GLOBAL},
 		{Key: conf.IgnoreDirectLinkParams, Value: "sign,alist_ts", Type: conf.TypeString, Group: model.GLOBAL},
 		{Key: conf.WebauthnLoginEnabled, Value: "false", Type: conf.TypeBool, Group: model.GLOBAL, Flag: model.PUBLIC},
+		{Key: conf.MaxDevices, Value: "0", Type: conf.TypeNumber, Group: model.GLOBAL},
+		{Key: conf.DeviceEvictPolicy, Value: "deny", Type: conf.TypeSelect, Options: "deny,evict_oldest", Group: model.GLOBAL},
+		{Key: conf.DeviceSessionTTL, Value: "86400", Type: conf.TypeNumber, Group: model.GLOBAL},
 
 		// single settings
 		{Key: conf.Token, Value: token, Type: conf.TypeString, Group: model.SINGLE, Flag: model.PRIVATE},

internal/conf/const.go

@@ -48,6 +48,9 @@ const (
 	ForwardDirectLinkParams = "forward_direct_link_params"
 	IgnoreDirectLinkParams  = "ignore_direct_link_params"
 	WebauthnLoginEnabled    = "webauthn_login_enabled"
+	MaxDevices              = "max_devices"
+	DeviceEvictPolicy       = "device_evict_policy"
+	DeviceSessionTTL        = "device_session_ttl"
 
 	// index
 	SearchIndex     = "search_index"

internal/db/db.go

@@ -12,7 +12,7 @@ var db *gorm.DB
 
 func Init(d *gorm.DB) {
 	db = d
-	err := AutoMigrate(new(model.Storage), new(model.User), new(model.Meta), new(model.SettingItem), new(model.SearchNode), new(model.TaskItem), new(model.SSHPublicKey), new(model.Role), new(model.Label), new(model.LabelFileBinding), new(model.ObjFile))
+	err := AutoMigrate(new(model.Storage), new(model.User), new(model.Meta), new(model.SettingItem), new(model.SearchNode), new(model.TaskItem), new(model.SSHPublicKey), new(model.Role), new(model.Label), new(model.LabelFileBinding), new(model.ObjFile), new(model.Session))
 	if err != nil {
 		log.Fatalf("failed migrate database: %s", err.Error())
 	}

internal/db/session.go

@@ -0,0 +1,69 @@
+package db
+
+import (
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/pkg/errors"
+	"gorm.io/gorm/clause"
+)
+
+func GetSession(userID uint, deviceKey string) (*model.Session, error) {
+	s := model.Session{UserID: userID, DeviceKey: deviceKey}
+	if err := db.Select("user_id, device_key, last_active, status, user_agent, ip").Where(&s).First(&s).Error; err != nil {
+		return nil, errors.Wrap(err, "failed find session")
+	}
+	return &s, nil
+}
+
+func CreateSession(s *model.Session) error {
+	return errors.WithStack(db.Create(s).Error)
+}
+
+func UpsertSession(s *model.Session) error {
+	return errors.WithStack(db.Clauses(clause.OnConflict{UpdateAll: true}).Create(s).Error)
+}
+
+func DeleteSession(userID uint, deviceKey string) error {
+	return errors.WithStack(db.Where("user_id = ? AND device_key = ?", userID, deviceKey).Delete(&model.Session{}).Error)
+}
+
+func CountActiveSessionsByUser(userID uint) (int64, error) {
+	var count int64
+	err := db.Model(&model.Session{}).
+		Where("user_id = ? AND status = ?", userID, model.SessionActive).
+		Count(&count).Error
+	return count, errors.WithStack(err)
+}
+
+func DeleteSessionsBefore(ts int64) error {
+	return errors.WithStack(db.Where("last_active < ?", ts).Delete(&model.Session{}).Error)
+}
+
+// GetOldestActiveSession returns the oldest active session for the specified user.
+func GetOldestActiveSession(userID uint) (*model.Session, error) {
+	var s model.Session
+	if err := db.Where("user_id = ? AND status = ?", userID, model.SessionActive).
+		Order("last_active ASC").First(&s).Error; err != nil {
+		return nil, errors.Wrap(err, "failed get oldest active session")
+	}
+	return &s, nil
+}
+
+func UpdateSessionLastActive(userID uint, deviceKey string, lastActive int64) error {
+	return errors.WithStack(db.Model(&model.Session{}).Where("user_id = ? AND device_key = ?", userID, deviceKey).Update("last_active", lastActive).Error)
+}
+
+func ListSessionsByUser(userID uint) ([]model.Session, error) {
+	var sessions []model.Session
+	err := db.Select("user_id, device_key, last_active, status, user_agent, ip").Where("user_id = ? AND status = ?", userID, model.SessionActive).Find(&sessions).Error
+	return sessions, errors.WithStack(err)
+}
+
+func ListSessions() ([]model.Session, error) {
+	var sessions []model.Session
+	err := db.Select("user_id, device_key, last_active, status, user_agent, ip").Where("status = ?", model.SessionActive).Find(&sessions).Error
+	return sessions, errors.WithStack(err)
+}
+
+func MarkInactive(sessionID string) error {
+	return errors.WithStack(db.Model(&model.Session{}).Where("device_key = ?", sessionID).Update("status", model.SessionInactive).Error)
+}

internal/device/session.go

@@ -0,0 +1,138 @@
+package device
+
+import (
+	"time"
+
+	"github.com/alist-org/alist/v3/internal/conf"
+	"github.com/alist-org/alist/v3/internal/db"
+	"github.com/alist-org/alist/v3/internal/errs"
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/setting"
+	"github.com/alist-org/alist/v3/pkg/utils"
+	"github.com/pkg/errors"
+	"gorm.io/gorm"
+)
+
+// Handle verifies device sessions for a user and upserts current session.
+func Handle(userID uint, deviceKey, ua, ip string) error {
+	ttl := setting.GetInt(conf.DeviceSessionTTL, 86400)
+	if ttl > 0 {
+		_ = db.DeleteSessionsBefore(time.Now().Unix() - int64(ttl))
+	}
+
+	ip = utils.MaskIP(ip)
+
+	now := time.Now().Unix()
+	sess, err := db.GetSession(userID, deviceKey)
+	if err == nil {
+		if sess.Status == model.SessionInactive {
+			return errors.WithStack(errs.SessionInactive)
+		}
+		sess.Status = model.SessionActive
+		sess.LastActive = now
+		sess.UserAgent = ua
+		sess.IP = ip
+		return db.UpsertSession(sess)
+	}
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		return err
+	}
+
+	max := setting.GetInt(conf.MaxDevices, 0)
+	if max > 0 {
+		count, err := db.CountActiveSessionsByUser(userID)
+		if err != nil {
+			return err
+		}
+		if count >= int64(max) {
+			policy := setting.GetStr(conf.DeviceEvictPolicy, "deny")
+			if policy == "evict_oldest" {
+				if oldest, err := db.GetOldestActiveSession(userID); err == nil {
+					if err := db.MarkInactive(oldest.DeviceKey); err != nil {
+						return err
+					}
+				}
+			} else {
+				return errors.WithStack(errs.TooManyDevices)
+			}
+		}
+	}
+
+	s := &model.Session{UserID: userID, DeviceKey: deviceKey, UserAgent: ua, IP: ip, LastActive: now, Status: model.SessionActive}
+	return db.CreateSession(s)
+}
+
+// EnsureActiveOnLogin is used only in login flow:
+// - If session exists (even Inactive): reactivate and refresh fields.
+// - If not exists: apply max-devices policy, then create Active session.
+func EnsureActiveOnLogin(userID uint, deviceKey, ua, ip string) error {
+	ip = utils.MaskIP(ip)
+	now := time.Now().Unix()
+
+	sess, err := db.GetSession(userID, deviceKey)
+	if err == nil {
+		if sess.Status == model.SessionInactive {
+			max := setting.GetInt(conf.MaxDevices, 0)
+			if max > 0 {
+				count, err := db.CountActiveSessionsByUser(userID)
+				if err != nil {
+					return err
+				}
+				if count >= int64(max) {
+					policy := setting.GetStr(conf.DeviceEvictPolicy, "deny")
+					if policy == "evict_oldest" {
+						if oldest, gerr := db.GetOldestActiveSession(userID); gerr == nil {
+							if err := db.MarkInactive(oldest.DeviceKey); err != nil {
+								return err
+							}
+						}
+					} else {
+						return errors.WithStack(errs.TooManyDevices)
+					}
+				}
+			}
+		}
+		sess.Status = model.SessionActive
+		sess.LastActive = now
+		sess.UserAgent = ua
+		sess.IP = ip
+		return db.UpsertSession(sess)
+	}
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		return err
+	}
+
+	max := setting.GetInt(conf.MaxDevices, 0)
+	if max > 0 {
+		count, err := db.CountActiveSessionsByUser(userID)
+		if err != nil {
+			return err
+		}
+		if count >= int64(max) {
+			policy := setting.GetStr(conf.DeviceEvictPolicy, "deny")
+			if policy == "evict_oldest" {
+				if oldest, gerr := db.GetOldestActiveSession(userID); gerr == nil {
+					if err := db.MarkInactive(oldest.DeviceKey); err != nil {
+						return err
+					}
+				}
+			} else {
+				return errors.WithStack(errs.TooManyDevices)
+			}
+		}
+	}
+
+	return db.CreateSession(&model.Session{
+		UserID:     userID,
+		DeviceKey:  deviceKey,
+		UserAgent:  ua,
+		IP:         ip,
+		LastActive: now,
+		Status:     model.SessionActive,
+	})
+}
+
+// Refresh updates last_active for the session.
+func Refresh(userID uint, deviceKey string) {
+	_ = db.UpdateSessionLastActive(userID, deviceKey, time.Now().Unix())
+}

internal/errs/device.go

@@ -0,0 +1,8 @@
+package errs
+
+import "errors"
+
+var (
+	TooManyDevices  = errors.New("too many active devices")
+	SessionInactive = errors.New("session inactive")
+)

internal/model/session.go

@@ -0,0 +1,16 @@
+package model
+
+// Session represents a device session of a user.
+type Session struct {
+	UserID     uint   `json:"user_id" gorm:"index"`
+	DeviceKey  string `json:"device_key" gorm:"primaryKey;size:64"`
+	UserAgent  string `json:"user_agent" gorm:"size:255"`
+	IP         string `json:"ip" gorm:"size:64"`
+	LastActive int64  `json:"last_active"`
+	Status     int    `json:"status"`
+}
+
+const (
+	SessionActive = iota
+	SessionInactive
+)

internal/session/session.go

@@ -0,0 +1,8 @@
+package session
+
+import "github.com/alist-org/alist/v3/internal/db"
+
+// MarkInactive marks the session with the given ID as inactive.
+func MarkInactive(sessionID string) error {
+	return db.MarkInactive(sessionID)
+}

pkg/utils/mask.go

@@ -0,0 +1,30 @@
+package utils
+
+import "strings"
+
+// MaskIP anonymizes middle segments of an IP address.
+func MaskIP(ip string) string {
+	if ip == "" {
+		return ""
+	}
+	if strings.Contains(ip, ":") {
+		parts := strings.Split(ip, ":")
+		if len(parts) > 2 {
+			for i := 1; i < len(parts)-1; i++ {
+				if parts[i] != "" {
+					parts[i] = "*"
+				}
+			}
+			return strings.Join(parts, ":")
+		}
+		return ip
+	}
+	parts := strings.Split(ip, ".")
+	if len(parts) == 4 {
+		for i := 1; i < len(parts)-1; i++ {
+			parts[i] = "*"
+		}
+		return strings.Join(parts, ".")
+	}
+	return ip
+}

server/handles/auth.go

@@ -3,6 +3,8 @@ package handles
 import (
 	"bytes"
 	"encoding/base64"
+	"errors"
+	"fmt"
 	"image/png"
 	"path"
 	"strings"
@@ -10,9 +12,13 @@ import (
 
 	"github.com/Xhofe/go-cache"
 	"github.com/alist-org/alist/v3/internal/conf"
+	"github.com/alist-org/alist/v3/internal/device"
+	"github.com/alist-org/alist/v3/internal/errs"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
+	"github.com/alist-org/alist/v3/internal/session"
 	"github.com/alist-org/alist/v3/internal/setting"
+	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/alist-org/alist/v3/server/common"
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
@@ -81,13 +87,30 @@ func loginHash(c *gin.Context, req *LoginReq) {
 			return
 		}
 	}
+
+	clientID := c.GetHeader("Client-Id")
+	if clientID == "" {
+		clientID = c.Query("client_id")
+	}
+	key := utils.GetMD5EncodeStr(fmt.Sprintf("%d-%s",
+		user.ID, clientID))
+
+	if err := device.EnsureActiveOnLogin(user.ID, key, c.Request.UserAgent(), c.ClientIP()); err != nil {
+		if errors.Is(err, errs.TooManyDevices) {
+			common.ErrorResp(c, err, 403)
+		} else {
+			common.ErrorResp(c, err, 400, true)
+		}
+		return
+	}
+
 	// generate token
 	token, err := common.GenerateToken(user)
 	if err != nil {
 		common.ErrorResp(c, err, 400, true)
 		return
 	}
-	common.SuccessResp(c, gin.H{"token": token})
+	common.SuccessResp(c, gin.H{"token": token, "device_key": key})
 	loginCache.Del(ip)
 }
 
@@ -247,6 +270,13 @@ func Verify2FA(c *gin.Context) {
 }
 
 func LogOut(c *gin.Context) {
+	if keyVal, ok := c.Get("device_key"); ok {
+		if err := session.MarkInactive(keyVal.(string)); err != nil {
+			common.ErrorResp(c, err, 500)
+			return
+		}
+		c.Set("session_inactive", true)
+	}
 	err := common.InvalidateToken(c.GetHeader("Authorization"))
 	if err != nil {
 		common.ErrorResp(c, err, 500)

server/handles/search.go

@@ -43,28 +43,39 @@ func Search(c *gin.Context) {
 		common.ErrorResp(c, err, 400)
 		return
 	}
-	nodes, total, err := search.Search(c, req.SearchReq)
-	if err != nil {
-		common.ErrorResp(c, err, 500)
-		return
-	}
-	var filteredNodes []model.SearchNode
-	for _, node := range nodes {
-		if !strings.HasPrefix(node.Parent, user.BasePath) {
-			continue
+	var (
+		filteredNodes []model.SearchNode
+	)
+	for len(filteredNodes) < req.PerPage {
+		nodes, _, err := search.Search(c, req.SearchReq)
+		if err != nil {
+			common.ErrorResp(c, err, 500)
+			return
 		}
-		meta, err := op.GetNearestMeta(node.Parent)
-		if err != nil && !errors.Is(errors.Cause(err), errs.MetaNotFound) {
-			continue
+		if len(nodes) == 0 {
+			break
 		}
-		if !common.CanAccessWithRoles(user, meta, path.Join(node.Parent, node.Name), req.Password) {
-			continue
+		for _, node := range nodes {
+			if !strings.HasPrefix(node.Parent, user.BasePath) {
+				continue
+			}
+			meta, err := op.GetNearestMeta(node.Parent)
+			if err != nil && !errors.Is(errors.Cause(err), errs.MetaNotFound) {
+				continue
+			}
+			if !common.CanAccessWithRoles(user, meta, path.Join(node.Parent, node.Name), req.Password) {
+				continue
+			}
+			filteredNodes = append(filteredNodes, node)
+			if len(filteredNodes) >= req.PerPage {
+				break
+			}
 		}
-		filteredNodes = append(filteredNodes, node)
+		req.Page++
 	}
 	common.SuccessResp(c, common.PageResp{
 		Content: utils.MustSliceConvert(filteredNodes, nodeToSearchResp),
-		Total:   total,
+		Total:   int64(len(filteredNodes)),
 	})
 }
 

server/handles/session.go

@@ -0,0 +1,92 @@
+package handles
+
+import (
+	"github.com/alist-org/alist/v3/internal/db"
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/server/common"
+	"github.com/gin-gonic/gin"
+)
+
+type SessionResp struct {
+	SessionID  string `json:"session_id"`
+	UserID     uint   `json:"user_id,omitempty"`
+	LastActive int64  `json:"last_active"`
+	Status     int    `json:"status"`
+	UA         string `json:"ua"`
+	IP         string `json:"ip"`
+}
+
+func ListMySessions(c *gin.Context) {
+	user := c.MustGet("user").(*model.User)
+	sessions, err := db.ListSessionsByUser(user.ID)
+	if err != nil {
+		common.ErrorResp(c, err, 500)
+		return
+	}
+	resp := make([]SessionResp, len(sessions))
+	for i, s := range sessions {
+		resp[i] = SessionResp{
+			SessionID:  s.DeviceKey,
+			LastActive: s.LastActive,
+			Status:     s.Status,
+			UA:         s.UserAgent,
+			IP:         s.IP,
+		}
+	}
+	common.SuccessResp(c, resp)
+}
+
+type EvictSessionReq struct {
+	SessionID string `json:"session_id"`
+}
+
+func EvictMySession(c *gin.Context) {
+	var req EvictSessionReq
+	if err := c.ShouldBindJSON(&req); err != nil {
+		common.ErrorResp(c, err, 400)
+		return
+	}
+	user := c.MustGet("user").(*model.User)
+	if _, err := db.GetSession(user.ID, req.SessionID); err != nil {
+		common.ErrorResp(c, err, 400)
+		return
+	}
+	if err := db.MarkInactive(req.SessionID); err != nil {
+		common.ErrorResp(c, err, 500)
+		return
+	}
+	common.SuccessResp(c)
+}
+
+func ListSessions(c *gin.Context) {
+	sessions, err := db.ListSessions()
+	if err != nil {
+		common.ErrorResp(c, err, 500)
+		return
+	}
+	resp := make([]SessionResp, len(sessions))
+	for i, s := range sessions {
+		resp[i] = SessionResp{
+			SessionID:  s.DeviceKey,
+			UserID:     s.UserID,
+			LastActive: s.LastActive,
+			Status:     s.Status,
+			UA:         s.UserAgent,
+			IP:         s.IP,
+		}
+	}
+	common.SuccessResp(c, resp)
+}
+
+func EvictSession(c *gin.Context) {
+	var req EvictSessionReq
+	if err := c.ShouldBindJSON(&req); err != nil {
+		common.ErrorResp(c, err, 400)
+		return
+	}
+	if err := db.MarkInactive(req.SessionID); err != nil {
+		common.ErrorResp(c, err, 500)
+		return
+	}
+	common.SuccessResp(c)
+}

server/handles/user.go

@@ -1,9 +1,10 @@
 package handles
 
 import (
-	"github.com/alist-org/alist/v3/pkg/utils"
 	"strconv"
 
+	"github.com/alist-org/alist/v3/pkg/utils"
+
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/server/common"
@@ -97,6 +98,14 @@ func UpdateUser(c *gin.Context) {
 			return
 		}
 	}
+
+	if !utils.SliceEqual(user.Role, req.Role) {
+		if req.IsAdmin() || req.IsGuest() {
+			common.ErrorStrResp(c, "cannot assign admin or guest role to user", 400, true)
+			return
+		}
+	}
+
 	if err := op.UpdateUser(&req); err != nil {
 		common.ErrorResp(c, err, 500)
 	} else {

server/middlewares/auth.go

@@ -2,12 +2,16 @@ package middlewares
 
 import (
 	"crypto/subtle"
+	"errors"
 	"fmt"
 
 	"github.com/alist-org/alist/v3/internal/conf"
+	"github.com/alist-org/alist/v3/internal/device"
+	"github.com/alist-org/alist/v3/internal/errs"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/internal/setting"
+	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/alist-org/alist/v3/server/common"
 	"github.com/gin-gonic/gin"
 	log "github.com/sirupsen/logrus"
@@ -24,7 +28,9 @@ func Auth(c *gin.Context) {
 			c.Abort()
 			return
 		}
-		c.Set("user", admin)
+		if !HandleSession(c, admin) {
+			return
+		}
 		log.Debugf("use admin token: %+v", admin)
 		c.Next()
 		return
@@ -50,7 +56,9 @@ func Auth(c *gin.Context) {
 			}
 			guest.RolesDetail = roles
 		}
-		c.Set("user", guest)
+		if !HandleSession(c, guest) {
+			return
+		}
 		log.Debugf("use empty token: %+v", guest)
 		c.Next()
 		return
@@ -87,11 +95,36 @@ func Auth(c *gin.Context) {
 		}
 		user.RolesDetail = roles
 	}
-	c.Set("user", user)
+	if !HandleSession(c, user) {
+		return
+	}
 	log.Debugf("use login token: %+v", user)
 	c.Next()
 }
 
+// HandleSession verifies device sessions and stores context values.
+func HandleSession(c *gin.Context, user *model.User) bool {
+	clientID := c.GetHeader("Client-Id")
+	if clientID == "" {
+		clientID = c.Query("client_id")
+	}
+	key := utils.GetMD5EncodeStr(fmt.Sprintf("%d-%s", user.ID, clientID))
+	if err := device.Handle(user.ID, key, c.Request.UserAgent(), c.ClientIP()); err != nil {
+		token := c.GetHeader("Authorization")
+		if errors.Is(err, errs.SessionInactive) {
+			_ = common.InvalidateToken(token)
+			common.ErrorResp(c, err, 401)
+		} else {
+			common.ErrorResp(c, err, 403)
+		}
+		c.Abort()
+		return false
+	}
+	c.Set("device_key", key)
+	c.Set("user", user)
+	return true
+}
+
 func Authn(c *gin.Context) {
 	token := c.GetHeader("Authorization")
 	if subtle.ConstantTimeCompare([]byte(token), []byte(setting.GetStr(conf.Token))) == 1 {

server/middlewares/session_refresh.go

@@ -0,0 +1,26 @@
+package middlewares
+
+import (
+	"github.com/alist-org/alist/v3/internal/device"
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/gin-gonic/gin"
+)
+
+// SessionRefresh updates session's last_active after successful requests.
+func SessionRefresh(c *gin.Context) {
+	c.Next()
+	if c.Writer.Status() >= 400 {
+		return
+	}
+	if inactive, ok := c.Get("session_inactive"); ok {
+		if b, ok := inactive.(bool); ok && b {
+			return
+		}
+	}
+	userVal, uok := c.Get("user")
+	keyVal, kok := c.Get("device_key")
+	if uok && kok {
+		user := userVal.(*model.User)
+		device.Refresh(user.ID, keyVal.(string))
+	}
+}

server/router.go

@@ -22,6 +22,7 @@ func Init(e *gin.Engine) {
 		})
 	}
 	Cors(e)
+	e.Use(middlewares.SessionRefresh)
 	g := e.Group(conf.URL.Path)
 	if conf.Conf.Scheme.HttpPort != -1 && conf.Conf.Scheme.HttpsPort != -1 && conf.Conf.Scheme.ForceHttps {
 		e.Use(middlewares.ForceHttps)
@@ -70,6 +71,8 @@ func Init(e *gin.Engine) {
 	auth.POST("/auth/2fa/generate", handles.Generate2FA)
 	auth.POST("/auth/2fa/verify", handles.Verify2FA)
 	auth.GET("/auth/logout", handles.LogOut)
+	auth.GET("/me/sessions", handles.ListMySessions)
+	auth.POST("/me/sessions/evict", handles.EvictMySession)
 
 	// auth
 	api.GET("/auth/sso", handles.SSOLoginRedirect)
@@ -184,6 +187,10 @@ func admin(g *gin.RouterGroup) {
 	labelFileBinding.POST("/delete", handles.DelLabelByFileName)
 	labelFileBinding.POST("/restore", handles.RestoreLabelFileBinding)
 
+	session := g.Group("/session")
+	session.GET("/list", handles.ListSessions)
+	session.POST("/evict", handles.EvictSession)
+
 }
 
 func _fs(g *gin.RouterGroup) {

server/webdav.go

@@ -3,6 +3,7 @@ package server
 import (
 	"context"
 	"crypto/subtle"
+	"fmt"
 	"net/http"
 	"net/url"
 	"path"
@@ -12,9 +13,11 @@ import (
 	"github.com/alist-org/alist/v3/server/middlewares"
 
 	"github.com/alist-org/alist/v3/internal/conf"
+	"github.com/alist-org/alist/v3/internal/device"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/internal/setting"
+	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/alist-org/alist/v3/server/common"
 	"github.com/alist-org/alist/v3/server/webdav"
 	"github.com/gin-gonic/gin"
@@ -69,6 +72,13 @@ func WebDAVAuth(c *gin.Context) {
 					c.Abort()
 					return
 				}
+				key := utils.GetMD5EncodeStr(fmt.Sprintf("%d-%s", admin.ID, c.ClientIP()))
+				if err := device.Handle(admin.ID, key, c.Request.UserAgent(), c.ClientIP()); err != nil {
+					c.Status(http.StatusForbidden)
+					c.Abort()
+					return
+				}
+				c.Set("device_key", key)
 				c.Set("user", admin)
 				c.Next()
 				return
@@ -146,6 +156,13 @@ func WebDAVAuth(c *gin.Context) {
 		c.Abort()
 		return
 	}
+	key := utils.GetMD5EncodeStr(fmt.Sprintf("%d-%s", user.ID, c.ClientIP()))
+	if err := device.Handle(user.ID, key, c.Request.UserAgent(), c.ClientIP()); err != nil {
+		c.Status(http.StatusForbidden)
+		c.Abort()
+		return
+	}
+	c.Set("device_key", key)
 	c.Set("user", user)
 	c.Next()
 }