Merge pull request #1950 from Budibase/feature/user-session

Feature/user session
2021-07-08 16:05:51 +01:00 · 2021-07-08 16:05:51 +01:00 · 8a869a9859
parent 717d56c989 2bee348721
commit 8a869a9859
24 changed files with 311 additions and 71 deletions
--- a/packages/auth/cache.js
+++ b/packages/auth/cache.js
@ -0,0 +1,3 @@
+module.exports = {
+  user: require("./src/cache/user"),
+}
--- a/packages/auth/sessions.js
+++ b/packages/auth/sessions.js
@ -0,0 +1 @@
+module.exports = require("./src/security/sessions")
--- a/packages/auth/src/cache/user.js
+++ b/packages/auth/src/cache/user.js
@ -0,0 +1,21 @@
+const { getDB } = require("../db")
+const { StaticDatabases } = require("../db/utils")
+const redis = require("../redis/authRedis")
+
+const EXPIRY_SECONDS = 3600
+
+exports.getUser = async userId => {
+  const client = await redis.getUserClient()
+  // try cache
+  let user = await client.get(userId)
+  if (!user) {
+    user = await getDB(StaticDatabases.GLOBAL.name).get(userId)
+    client.store(userId, user, EXPIRY_SECONDS)
+  }
+  return user
+}
+
+exports.invalidateUser = async userId => {
+  const client = await redis.getUserClient()
+  await client.delete(userId)
+}
--- a/packages/auth/src/index.js
+++ b/packages/auth/src/index.js
@ -4,6 +4,7 @@ const JwtStrategy = require("passport-jwt").Strategy
 const { StaticDatabases } = require("./db/utils")
 const { jwt, local, authenticated, google, auditLog } = require("./middleware")
 const { setDB, getDB } = require("./db")
+const userCache = require("./cache/user")

 // Strategies
 passport.use(new LocalStrategy(local.options, local.authenticate))
@ -47,6 +48,9 @@ module.exports = {
    jwt: require("jsonwebtoken"),
    auditLog,
  },
+  cache: {
+    user: userCache,
+  },
  StaticDatabases,
  constants: require("./constants"),
 }
--- a/packages/auth/src/middleware/authenticated.js
+++ b/packages/auth/src/middleware/authenticated.js
@ -1,7 +1,7 @@
 const { Cookies } = require("../constants")
-const database = require("../db")
 const { getCookie, clearCookie } = require("../utils")
-const { StaticDatabases } = require("../db/utils")
+const { getUser } = require("../cache/user")
+const { getSession, updateSessionTTL } = require("../security/sessions")
 const env = require("../environment")

 const PARAM_REGEX = /\/:(.*?)\//g
@ -48,14 +48,27 @@ module.exports = (noAuthPatterns = [], opts) => {
        user = null,
        internal = false
      if (authCookie) {
+        let error = null
+        const sessionId = authCookie.sessionId,
+          userId = authCookie.userId
+        const session = await getSession(userId, sessionId)
+        if (!session) {
+          error = "No session found"
+        } else {
          try {
-          const db = database.getDB(StaticDatabases.GLOBAL.name)
-          user = await db.get(authCookie.userId)
+            user = await getUser(userId)
            delete user.password
            authenticated = true
          } catch (err) {
-          // remove the cookie as the use does not exist anymore
+            error = err
+          }
+        }
+        if (error) {
+          // remove the cookie as the user does not exist anymore
          clearCookie(ctx, Cookies.Auth)
+        } else {
+          // make sure we denote that the session is still in use
+          await updateSessionTTL(session)
        }
      }
      const apiKey = ctx.request.headers["x-budibase-api-key"]
--- a/packages/auth/src/middleware/passport/google.js
+++ b/packages/auth/src/middleware/passport/google.js
@ -7,6 +7,8 @@ const {
  generateGlobalUserID,
  ViewNames,
 } = require("../../db/utils")
+const { newid } = require("../../hashing")
+const { createASession } = require("../../security/sessions")

 async function authenticate(token, tokenSecret, profile, done) {
  // Check the user exists in the instance DB by email
@ -59,15 +61,16 @@ async function authenticate(token, tokenSecret, profile, done) {
  }

  // authenticate
-  const payload = {
-    userId: dbUser._id,
-    builder: dbUser.builder,
-    email: dbUser.email,
-  }
+  const sessionId = newid()
+  await createASession(dbUser._id, sessionId)

-  dbUser.token = jwt.sign(payload, env.JWT_SECRET, {
-    expiresIn: "1 day",
-  })
+  dbUser.token = jwt.sign(
+    {
+      userId: dbUser._id,
+      sessionId,
+    },
+    env.JWT_SECRET
+  )

  return done(null, dbUser)
 }
--- a/packages/auth/src/middleware/passport/local.js
+++ b/packages/auth/src/middleware/passport/local.js
@ -3,6 +3,8 @@ const { UserStatus } = require("../../constants")
 const { compare } = require("../../hashing")
 const env = require("../../environment")
 const { getGlobalUserByEmail } = require("../../utils")
+const { newid } = require("../../hashing")
+const { createASession } = require("../../security/sessions")

 const INVALID_ERR = "Invalid Credentials"

@ -31,13 +33,16 @@ exports.authenticate = async function (email, password, done) {

  // authenticate
  if (await compare(password, dbUser.password)) {
-    const payload = {
-      userId: dbUser._id,
-    }
+    const sessionId = newid()
+    await createASession(dbUser._id, sessionId)

-    dbUser.token = jwt.sign(payload, env.JWT_SECRET, {
-      expiresIn: "1 day",
-    })
+    dbUser.token = jwt.sign(
+      {
+        userId: dbUser._id,
+        sessionId,
+      },
+      env.JWT_SECRET
+    )
    // Remove users password in payload
    delete dbUser.password

--- a/packages/auth/src/redis/authRedis.js
+++ b/packages/auth/src/redis/authRedis.js
@ -0,0 +1,29 @@
+const Client = require("./index")
+const utils = require("./utils")
+
+let userClient, sessionClient
+
+async function init() {
+  userClient = await new Client(utils.Databases.USER_CACHE).init()
+  sessionClient = await new Client(utils.Databases.SESSIONS).init()
+}
+
+process.on("exit", async () => {
+  if (userClient) await userClient.finish()
+  if (sessionClient) await sessionClient.finish()
+})
+
+module.exports = {
+  getUserClient: async () => {
+    if (!userClient) {
+      await init()
+    }
+    return userClient
+  },
+  getSessionClient: async () => {
+    if (!sessionClient) {
+      await init()
+    }
+    return sessionClient
+  },
+}
--- a/packages/auth/src/redis/index.js
+++ b/packages/auth/src/redis/index.js
@ -1,7 +1,12 @@
 const env = require("../environment")
 // ioredis mock is all in memory
 const Redis = env.isTest() ? require("ioredis-mock") : require("ioredis")
-const { addDbPrefix, removeDbPrefix, getRedisOptions } = require("./utils")
+const {
+  addDbPrefix,
+  removeDbPrefix,
+  getRedisOptions,
+  SEPARATOR,
+} = require("./utils")

 const RETRY_PERIOD_MS = 2000
 const STARTUP_TIMEOUT_MS = 5000
@ -143,14 +148,15 @@ class RedisWrapper {
    CLIENT.disconnect()
  }

-  async scan() {
+  async scan(key = "") {
    const db = this._db
+    key = `${db}${SEPARATOR}${key}`
    let stream
    if (CLUSTERED) {
      let node = CLIENT.nodes("master")
-      stream = node[0].scanStream({ match: db + "-*", count: 100 })
+      stream = node[0].scanStream({ match: key + "*", count: 100 })
    } else {
-      stream = CLIENT.scanStream({ match: db + "-*", count: 100 })
+      stream = CLIENT.scanStream({ match: key + "*", count: 100 })
    }
    return promisifyStream(stream)
  }
@ -182,6 +188,12 @@ class RedisWrapper {
    }
  }

+  async setExpiry(key, expirySeconds) {
+    const db = this._db
+    const prefixedKey = addDbPrefix(db, key)
+    await CLIENT.expire(prefixedKey, expirySeconds)
+  }
+
  async delete(key) {
    const db = this._db
    await CLIENT.del(addDbPrefix(db, key))
--- a/packages/auth/src/redis/utils.js
+++ b/packages/auth/src/redis/utils.js
@ -11,8 +11,12 @@ exports.Databases = {
  INVITATIONS: "invitation",
  DEV_LOCKS: "devLocks",
  DEBOUNCE: "debounce",
+  SESSIONS: "session",
+  USER_CACHE: "users",
 }

+exports.SEPARATOR = SEPARATOR
+
 exports.getRedisOptions = (clustered = false) => {
  const [host, port] = REDIS_URL.split(":")
  const opts = {
--- a/packages/auth/src/security/sessions.js
+++ b/packages/auth/src/security/sessions.js
@ -0,0 +1,69 @@
+const redis = require("../redis/authRedis")
+
+const EXPIRY_SECONDS = 86400
+
+async function getSessionsForUser(userId) {
+  const client = await redis.getSessionClient()
+  const sessions = await client.scan(userId)
+  return sessions.map(session => session.value)
+}
+
+function makeSessionID(userId, sessionId) {
+  return `${userId}/${sessionId}`
+}
+
+exports.createASession = async (userId, sessionId) => {
+  const client = await redis.getSessionClient()
+  const session = {
+    createdAt: new Date().toISOString(),
+    lastAccessedAt: new Date().toISOString(),
+    sessionId,
+    userId,
+  }
+  await client.store(makeSessionID(userId, sessionId), session, EXPIRY_SECONDS)
+}
+
+exports.invalidateSessions = async (userId, sessionId = null) => {
+  let sessions = []
+  if (sessionId) {
+    sessions.push({ key: makeSessionID(userId, sessionId) })
+  } else {
+    sessions = await getSessionsForUser(userId)
+  }
+  const client = await redis.getSessionClient()
+  const promises = []
+  for (let session of sessions) {
+    promises.push(client.delete(session.key))
+  }
+  await Promise.all(promises)
+}
+
+exports.updateSessionTTL = async session => {
+  const client = await redis.getSessionClient()
+  const key = makeSessionID(session.userId, session.sessionId)
+  session.lastAccessedAt = new Date().toISOString()
+  await client.store(key, session, EXPIRY_SECONDS)
+}
+
+exports.endSession = async (userId, sessionId) => {
+  const client = await redis.getSessionClient()
+  await client.delete(makeSessionID(userId, sessionId))
+}
+
+exports.getUserSessions = getSessionsForUser
+
+exports.getSession = async (userId, sessionId) => {
+  try {
+    const client = await redis.getSessionClient()
+    return client.get(makeSessionID(userId, sessionId))
+  } catch (err) {
+    // if can't get session don't error, just don't return anything
+    return null
+  }
+}
+
+exports.getAllSessions = async () => {
+  const client = await redis.getSessionClient()
+  const sessions = await client.scan()
+  return sessions.map(session => session.value)
+}
--- a/packages/auth/src/utils.js
+++ b/packages/auth/src/utils.js
@ -64,23 +64,18 @@ exports.getCookie = (ctx, name) => {
 }

 /**
- * Store a cookie for the request, has a hardcoded expiry.
+ * Store a cookie for the request - it will not expire.
 * @param {object} ctx The request which is to be manipulated.
 * @param {string} name The name of the cookie to set.
 * @param {string|object} value The value of cookie which will be set.
 */
 exports.setCookie = (ctx, value, name = "builder") => {
-  const expires = new Date()
-  expires.setDate(expires.getDate() + 1)
-
  if (!value) {
    ctx.cookies.set(name)
  } else {
-    value = jwt.sign(value, options.secretOrKey, {
-      expiresIn: "1 day",
-    })
+    value = jwt.sign(value, options.secretOrKey)
    ctx.cookies.set(name, value, {
-      expires,
+      maxAge: Number.MAX_SAFE_INTEGER,
      path: "/",
      httpOnly: false,
      overwrite: true,
--- a/packages/server/src/api/routes/tests/routing.spec.js
+++ b/packages/server/src/api/routes/tests/routing.spec.js
@ -2,7 +2,6 @@ const setup = require("./utilities")
 const { basicScreen } = setup.structures
 const { checkBuilderEndpoint } = require("./utilities/TestFunctions")
 const { BUILTIN_ROLE_IDS } = require("@budibase/auth/roles")
-const workerRequests = require("../../../utilities/workerRequests")

 const route = "/test"

--- a/packages/server/src/middleware/currentapp.js
+++ b/packages/server/src/middleware/currentapp.js
@ -2,10 +2,10 @@ const { getAppId, setCookie, getCookie, clearCookie } =
  require("@budibase/auth").utils
 const { Cookies } = require("@budibase/auth").constants
 const { getRole } = require("@budibase/auth/roles")
-const { getGlobalSelf } = require("../utilities/workerRequests")
 const { BUILTIN_ROLE_IDS } = require("@budibase/auth/roles")
 const { generateUserMetadataID } = require("../db/utils")
 const { dbExists } = require("@budibase/auth/db")
+const { getCachedSelf } = require("../utilities/global")
 const CouchDB = require("../db")

 module.exports = async (ctx, next) => {
@ -26,29 +26,17 @@ module.exports = async (ctx, next) => {
    }
  }

-  let updateCookie = false,
-    appId,
+  let appId,
    roleId = BUILTIN_ROLE_IDS.PUBLIC
  if (!ctx.user) {
    // not logged in, try to set a cookie for public apps
-    updateCookie = true
    appId = requestAppId
-  } else if (
-    requestAppId != null &&
-    (appCookie == null ||
-      requestAppId !== appCookie.appId ||
-      appCookie.roleId === BUILTIN_ROLE_IDS.PUBLIC ||
-      !appCookie.roleId)
-  ) {
+  } else if (requestAppId != null) {
    // Different App ID means cookie needs reset, or if the same public user has logged in
-    const globalUser = await getGlobalSelf(ctx, requestAppId)
-    updateCookie = true
+    const globalUser = await getCachedSelf(ctx, requestAppId)
    appId = requestAppId
    // retrieving global user gets the right role
    roleId = globalUser.roleId || BUILTIN_ROLE_IDS.BASIC
-  } else if (appCookie != null) {
-    appId = appCookie.appId
-    roleId = appCookie.roleId || BUILTIN_ROLE_IDS.BASIC
  }
  // nothing more to do
  if (!appId) {
@ -68,8 +56,12 @@ module.exports = async (ctx, next) => {
      role: await getRole(appId, roleId),
    }
  }
-  if (updateCookie) {
-    setCookie(ctx, { appId, roleId }, Cookies.CurrentApp)
+  if (
+    requestAppId !== appId ||
+    appCookie == null ||
+    appCookie.appId !== requestAppId
+  ) {
+    setCookie(ctx, { appId }, Cookies.CurrentApp)
  }
  return next()
 }
--- a/packages/server/src/middleware/tests/currentapp.spec.js
+++ b/packages/server/src/middleware/tests/currentapp.spec.js
@ -23,6 +23,15 @@ function mockReset() {
 function mockAuthWithNoCookie() {
  jest.resetModules()
  mockWorker()
+  jest.mock("@budibase/auth/cache", () => ({
+    user: {
+      getUser: () => {
+        return {
+          _id: "us_uuid1",
+        }
+      },
+    },
+  }))
  jest.mock("@budibase/auth", () => ({
    utils: {
      getAppId: jest.fn(),
--- a/packages/server/src/tests/utilities/TestConfiguration.js
+++ b/packages/server/src/tests/utilities/TestConfiguration.js
@ -17,6 +17,8 @@ const { cleanup } = require("../../utilities/fileSystem")
 const { Cookies } = require("@budibase/auth").constants
 const { jwt } = require("@budibase/auth").auth
 const { StaticDatabases } = require("@budibase/auth/db")
+const { createASession } = require("@budibase/auth/sessions")
+const { user: userCache } = require("@budibase/auth/cache")
 const CouchDB = require("../../db")

 const GLOBAL_USER_ID = "us_uuid1"
@ -62,7 +64,7 @@ class TestConfiguration {
    return request.body
  }

-  async globalUser(id = GLOBAL_USER_ID, builder = true) {
+  async globalUser(id = GLOBAL_USER_ID, builder = true, roles) {
    const db = new CouchDB(StaticDatabases.GLOBAL.name)
    let existing
    try {
@ -73,8 +75,9 @@ class TestConfiguration {
    const user = {
      _id: id,
      ...existing,
-      roles: {},
+      roles: roles || {},
    }
+    await createASession(id, "sessionid")
    if (builder) {
      user.builder = { global: true }
    }
@ -103,6 +106,7 @@ class TestConfiguration {
  defaultHeaders() {
    const auth = {
      userId: GLOBAL_USER_ID,
+      sessionId: "sessionid",
    }
    const app = {
      roleId: BUILTIN_ROLE_IDS.ADMIN,
@ -138,13 +142,7 @@ class TestConfiguration {
    roleId = BUILTIN_ROLE_IDS.ADMIN,
    builder = false,
  }) {
-    let user
-    try {
-      user = await this.createUser(email, PASSWORD, roleId)
-    } catch (err) {
-      // allow errors here
-    }
-    return this.login(email, PASSWORD, { roleId, userId: user._id, builder })
+    return this.login(email, PASSWORD, { roleId, builder })
  }

  async createApp(appName) {
@ -313,6 +311,7 @@ class TestConfiguration {
  async createUser(id = null) {
    const globalId = !id ? `us_${Math.random()}` : `us_${id}`
    const resp = await this.globalUser(globalId)
+    await userCache.invalidateUser(globalId)
    return {
      ...resp,
      globalId,
@ -326,14 +325,19 @@ class TestConfiguration {
    }
    // make sure the user exists in the global DB
    if (roleId !== BUILTIN_ROLE_IDS.PUBLIC) {
-      await this.globalUser(userId, builder)
+      const appId = `app${this.getAppId().split("app_dev")[1]}`
+      await this.globalUser(userId, builder, {
+        [appId]: roleId,
+      })
    }
    if (!email || !password) {
      await this.createUser()
    }
+    await createASession(userId, "sessionid")
    // have to fake this
    const auth = {
      userId,
+      sessionId: "sessionid",
    }
    const app = {
      roleId: roleId,
@ -343,6 +347,7 @@ class TestConfiguration {
    const appToken = jwt.sign(app, env.JWT_SECRET)

    // returning necessary request headers
+    await userCache.invalidateUser(userId)
    return {
      Accept: "application/json",
      Cookie: [
--- a/packages/server/src/utilities/global.js
+++ b/packages/server/src/utilities/global.js
@ -7,6 +7,7 @@ const {
 const { BUILTIN_ROLE_IDS } = require("@budibase/auth/roles")
 const { getDeployedAppID } = require("@budibase/auth/db")
 const { getGlobalUserParams } = require("@budibase/auth/db")
+const { user: userCache } = require("@budibase/auth/cache")

 exports.updateAppRole = (appId, user) => {
  if (!user.roles) {
@ -25,15 +26,24 @@ exports.updateAppRole = (appId, user) => {
  return user
 }

-exports.getGlobalUser = async (appId, userId) => {
-  const db = CouchDB(StaticDatabases.GLOBAL.name)
-  let user = await db.get(getGlobalIDFromUserMetadataID(userId))
+function processUser(appId, user) {
  if (user) {
    delete user.password
  }
  return exports.updateAppRole(appId, user)
 }

+exports.getCachedSelf = async (ctx, appId) => {
+  const user = await userCache.getUser(ctx.user._id)
+  return processUser(appId, user)
+}
+
+exports.getGlobalUser = async (appId, userId) => {
+  const db = CouchDB(StaticDatabases.GLOBAL.name)
+  let user = await db.get(getGlobalIDFromUserMetadataID(userId))
+  return processUser(appId, user)
+}
+
 exports.getGlobalUsers = async (appId = null, users = null) => {
  const db = CouchDB(StaticDatabases.GLOBAL.name)
  let globalUsers
--- a/packages/worker/src/api/controllers/admin/auth.js
+++ b/packages/worker/src/api/controllers/admin/auth.js
@ -10,7 +10,7 @@ const { checkResetPasswordCode } = require("../../../utilities/redis")

 const GLOBAL_DB = authPkg.StaticDatabases.GLOBAL.name

-function authInternal(ctx, user, err = null) {
+async function authInternal(ctx, user, err = null) {
  if (err) {
    return ctx.throw(403, "Unauthorized")
  }
@ -22,6 +22,7 @@ function authInternal(ctx, user, err = null) {
    return ctx.throw(403, "Unauthorized")
  }

+  // just store the user ID
  ctx.cookies.set(Cookies.Auth, user.token, {
    expires,
    path: "/",
@ -32,7 +33,7 @@ function authInternal(ctx, user, err = null) {

 exports.authenticate = async (ctx, next) => {
  return passport.authenticate("local", async (err, user) => {
-    authInternal(ctx, user, err)
+    await authInternal(ctx, user, err)

    delete user.token

@ -123,7 +124,7 @@ exports.googleAuth = async (ctx, next) => {
    strategy,
    { successRedirect: "/", failureRedirect: "/error" },
    async (err, user) => {
-      authInternal(ctx, user, err)
+      await authInternal(ctx, user, err)

      ctx.redirect("/")
    }
--- a/packages/worker/src/api/controllers/admin/sessions.js
+++ b/packages/worker/src/api/controllers/admin/sessions.js
@ -0,0 +1,37 @@
+const {
+  getAllSessions,
+  getUserSessions,
+  invalidateSessions,
+} = require("@budibase/auth/sessions")
+
+exports.fetch = async ctx => {
+  ctx.body = await getAllSessions()
+}
+
+exports.find = async ctx => {
+  const { userId } = ctx.params
+  const sessions = await getUserSessions(userId)
+  ctx.body = sessions.map(session => session.value)
+}
+
+exports.invalidateUser = async ctx => {
+  const { userId } = ctx.params
+  await invalidateSessions(userId)
+  ctx.body = {
+    message: "User sessions invalidated",
+  }
+}
+
+exports.selfSessions = async ctx => {
+  const userId = ctx.user._id
+  ctx.body = await getUserSessions(userId)
+}
+
+exports.invalidateSession = async ctx => {
+  const userId = ctx.user._id
+  const { sessionId } = ctx.params
+  await invalidateSessions(userId, sessionId)
+  ctx.body = {
+    message: "Session invalidated successfully.",
+  }
+}
--- a/packages/worker/src/api/controllers/admin/users.js
+++ b/packages/worker/src/api/controllers/admin/users.js
@ -5,6 +5,8 @@ const { hash, getGlobalUserByEmail } = require("@budibase/auth").utils
 const { UserStatus, EmailTemplatePurpose } = require("../../../constants")
 const { checkInviteCode } = require("../../../utilities/redis")
 const { sendEmail } = require("../../../utilities/email")
+const { user: userCache } = require("@budibase/auth/cache")
+const { invalidateSessions } = require("@budibase/auth/sessions")

 const GLOBAL_DB = StaticDatabases.GLOBAL.name

@ -62,6 +64,7 @@ exports.save = async ctx => {
      password: hashedPassword,
      ...user,
    })
+    await userCache.invalidateUser(response.id)
    ctx.body = {
      _id: response.id,
      _rev: response.rev,
@ -107,6 +110,8 @@ exports.destroy = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  const dbUser = await db.get(ctx.params.id)
  await db.remove(dbUser._id, dbUser._rev)
+  await userCache.invalidateUser(dbUser._id)
+  await invalidateSessions(dbUser._id)
  ctx.body = {
    message: `User ${ctx.params.id} deleted.`,
  }
@ -117,13 +122,16 @@ exports.removeAppRole = async ctx => {
  const db = new CouchDB(GLOBAL_DB)
  const users = await allUsers()
  const bulk = []
+  const cacheInvalidations = []
  for (let user of users) {
    if (user.roles[appId]) {
+      cacheInvalidations.push(userCache.invalidateUser(user._id))
      delete user.roles[appId]
      bulk.push(user)
    }
  }
  await db.bulkDocs(bulk)
+  await Promise.all(cacheInvalidations)
  ctx.body = {
    message: "App role removed from all users",
  }
@ -153,6 +161,7 @@ exports.updateSelf = async ctx => {
    ...user,
    ...ctx.request.body,
  })
+  await userCache.invalidateUser(user._id)
  ctx.body = {
    _id: response.id,
    _rev: response.rev,
--- a/packages/worker/src/api/routes/admin/sessions.js
+++ b/packages/worker/src/api/routes/admin/sessions.js
@ -0,0 +1,14 @@
+const Router = require("@koa/router")
+const controller = require("../../controllers/admin/sessions")
+const adminOnly = require("../../../middleware/adminOnly")
+
+const router = Router()
+
+router
+  .get("/api/admin/sessions", adminOnly, controller.fetch)
+  .get("/api/admin/sessions/self", controller.selfSessions)
+  .get("/api/admin/sessions/:userId", adminOnly, controller.find)
+  .delete("/api/admin/sessions/:userId", adminOnly, controller.invalidateUser)
+  .delete("/api/admin/sessions/self/:sessionId", controller.invalidateSession)
+
+module.exports = router
--- a/packages/worker/src/api/routes/index.js
+++ b/packages/worker/src/api/routes/index.js
@ -5,6 +5,7 @@ const templateRoutes = require("./admin/templates")
 const emailRoutes = require("./admin/email")
 const authRoutes = require("./admin/auth")
 const roleRoutes = require("./admin/roles")
+const sessionRoutes = require("./admin/sessions")
 const appRoutes = require("./app")

 exports.routes = [
@ -15,5 +16,6 @@ exports.routes = [
  appRoutes,
  templateRoutes,
  emailRoutes,
+  sessionRoutes,
  roleRoutes,
 ]
--- a/packages/worker/src/api/routes/tests/utilities/TestConfiguration.js
+++ b/packages/worker/src/api/routes/tests/utilities/TestConfiguration.js
@ -5,6 +5,7 @@ const { jwt } = require("@budibase/auth").auth
 const { Cookies } = require("@budibase/auth").constants
 const { Configs, LOGO_URL } = require("../../../../constants")
 const { getGlobalUserByEmail } = require("@budibase/auth").utils
+const { createASession } = require("@budibase/auth/sessions")

 class TestConfiguration {
  constructor(openServer = true) {
@ -56,6 +57,7 @@ class TestConfiguration {
        null,
        controllers.users.save
      )
+      await createASession("us_uuid1", "sessionid")
    }
  }

@ -69,6 +71,7 @@ class TestConfiguration {
    const user = {
      _id: "us_uuid1",
      userId: "us_uuid1",
+      sessionId: "sessionid",
    }
    const authToken = jwt.sign(user, env.JWT_SECRET)
    return {
--- a/packages/worker/src/utilities/redis.js
+++ b/packages/worker/src/utilities/redis.js
@ -44,7 +44,7 @@ async function getACode(db, code, deleteCode = true) {

 exports.init = async () => {
  pwResetClient = await new Client(utils.Databases.PW_RESETS).init()
-  invitationClient = await new Client(utils.Databases.PW_RESETS).init()
+  invitationClient = await new Client(utils.Databases.INVITATIONS).init()
 }

 /**
				`@ -0,0 +1 @@`
				`module.exports = require("./src/security/sessions")`