feat: implement remember_token for session management and harden security

- Add `remember_token` to users table to decouple sessions from usernames.
- Implement server-side session invalidation via token rotation on password change, reset, email/username updates, and account banning.
- Add `all_sessions=true` flag to logout and a new `force_logout` admin API.
- Refactor auth logic into `establish_session` with JIT token migration for legacy cookies.
- Fix "remember me" logic by removing incorrect session clearing in `/api/v1/init`.
- Enhance clickjacking protection by adding `X-Frame-Options: DENY` and `frame-ancestors 'none'` to sensitive user forms.
- Fix a typo in `persist_session` cookie handling.

Co-authored-by: Claude Code <noreply@anthropic.com>

Author: 2 people

api.lua

@@ -88,11 +88,13 @@ app:match(api_route('init'), respond_to({
             400)
     end),
     POST = capture_errors(function (self)
-        if not self.session.username or
-            (self.session.username and
-                self.session.persist_session == 'false') then
-            self.session.username = ''
-        end
+        -- Historically /init wiped any session whose persist_session flag
+        -- was 'false', which forced users who hadn't checked "remember me"
+        -- out every time the editor reloaded — defeating the whole point
+        -- of session cookies. Cookie persistence is now driven entirely
+        -- by the absence/presence of Max-Age in app.cookie_attributes:
+        -- the browser handles "should this die on browser close?" itself,
+        -- and we don't second-guess it here.
         return okResponse()
     end)
 }))
@@ -182,6 +184,10 @@ app:match(api_route('users/:username/become'), respond_to({
     POST = UserController.become
 }))
 
+app:match(api_route('users/:username/force_logout'), respond_to({
+    POST = UserController.force_logout
+}))
+
 app:match(api_route('users/:username/verify'), respond_to({
     POST = UserController.verify
 }))

app.lua

@@ -80,6 +80,83 @@ end
 require 'models'
 require 'responses'
 
+-- Resolve the user this request belongs to, based on the session cookie.
+--
+-- Priority:
+--   1. session.remember_token: the source of truth. Look up by token; if
+--      it doesn't match a user the cookie is stale (token rotated by a
+--      password change, "log out all sessions", etc.) and we treat the
+--      request as logged-out.
+--   2. JIT-migrate legacy cookies. A cookie minted before remember_token
+--      existed will only carry session.username. We accept it ONLY if the
+--      user's record has no remember_token yet — i.e. nobody has logged
+--      in for this account since the column was added. We then issue a
+--      token and pin it to the cookie.
+--   3. If the user record DOES already have a remember_token, refuse the
+--      tokenless cookie. Accepting it would defeat the whole point of
+--      server-side invalidation: the legitimate owner has logged in
+--      somewhere and rotated the token; the bare-username cookie is
+--      either ours-but-stale or stolen, and either way it must lose.
+local function resolve_current_user(self)
+    local Users = package.loaded.Users
+    local remember_token = self.session.remember_token
+
+    if remember_token and remember_token ~= '' then
+        return Users:find({ remember_token = remember_token })
+    end
+
+    local username = self.session.username
+    if not username or username == '' then return nil end
+
+    local user = Users:find({ username = username })
+    if not user then return nil end
+
+    if user.remember_token and user.remember_token ~= '' then
+        return nil
+    end
+
+    self.session.remember_token = user:rotate_remember_token()
+    return user
+end
+
+-- Track a "session" (a 4-hour window of activity) for the user. Called
+-- after a request has been authenticated and current_user is set.
+local function track_session_activity(self)
+    local should_count_session = false
+    if not self.current_user.last_session_at then
+        should_count_session = true
+    else
+        local hours_since = package.loaded.db.select(
+            "extract(epoch from now() - ?::timestamptz) / 3600 as hours",
+            self.current_user.last_session_at
+        )[1]
+        if hours_since.hours >= 4 then
+            should_count_session = true
+        end
+    end
+    if should_count_session then
+        self.current_user:update({
+            last_session_at = package.loaded.db.format_date(),
+            session_count = self.current_user.session_count + 1
+        })
+    end
+end
+
+-- Single entry point for "who is the user on this request?"
+-- Mutates self.current_user and the session in place.
+local function establish_session(self)
+    self.current_user = resolve_current_user(self)
+    if self.current_user then
+        self.session.username = self.current_user.username
+        self.session.last_access_at = date(true):fmt('${http}')
+        track_session_activity(self)
+    else
+        self.session.username = ''
+        self.session.remember_token = nil
+        self.session.user_id = nil
+    end
+end
+
 app.cookie_attributes = function (self)
     -- Cookies are 'session cookies' unless they have an expiration date.
     -- Cookies have a Max-Age of 35 days, because this is continually reset
@@ -246,37 +323,7 @@ app:before_filter(function (self)
         end
     end
 
-    if self.session.username and self.session.username ~= '' then
-        self.current_user =
-            package.loaded.Users:find({ username = self.session.username })
-        self.session.last_access_at = date(true):fmt('${http}')
-
-        -- Track distinct sessions: increment session_count and update
-        -- last_session_at at most once every 4 hours.
-        if self.current_user then
-            local should_count_session = false
-            if not self.current_user.last_session_at then
-                should_count_session = true
-            else
-                local hours_since = package.loaded.db.select(
-                    "extract(epoch from now() - ?::timestamptz) / 3600 as hours",
-                    self.current_user.last_session_at
-                )[1]
-                if hours_since.hours >= 4 then
-                    should_count_session = true
-                end
-            end
-            if should_count_session then
-                self.current_user:update({
-                    last_session_at = package.loaded.db.format_date(),
-                    session_count = self.current_user.session_count + 1
-                })
-            end
-        end
-    else
-        self.session.username = ''
-        self.current_user = nil
-    end
+    establish_session(self)
 
     if self.params.matchtext then
         self.params.matchtext = '%' .. self.params.matchtext .. '%'

controllers/user.lua

@@ -49,6 +49,17 @@ local validate_token = validations.validate_token
 local utils = require('lib.util')
 local escape_html = utils.escape_html
 
+-- Rotate the target user's remember_token (kicking every other session
+-- for that account) and, if the target IS the requestor, slide the new
+-- token into the current cookie so the requestor stays logged in.
+local function rotate_token_and_sync_session(self, user)
+    if not user then return end
+    local new_token = user:rotate_remember_token()
+    if self.current_user and user.id == self.current_user.id then
+        self.session.remember_token = new_token
+    end
+end
+
 UserController = {
     run_query = function (self, query)
         if not self.params.page_number then self.params.page_number = 1 end
@@ -180,8 +191,9 @@ UserController = {
                 token:delete()
             end
 
-            -- TODO: Create and store a remember token
             self.session.username = self.queried_user.username
+            self.session.remember_token =
+                self.queried_user:ensure_remember_token()
             self.session.persist_session = tostring(self.params.persist)
             self.queried_user:update({
                 last_login_at = db.format_date()
@@ -204,12 +216,28 @@ UserController = {
             -- Admins can log in as other people
             assert_admin(self, err.wrong_password)
             self.session.username = self.queried_user.username
+            self.session.remember_token =
+                self.queried_user:ensure_remember_token()
             return jsonResponse({ redirect = self:build_url('/') })
         end
     end),
+    -- POST /logout
+    -- Optional param: all_sessions=true rotates the user's remember_token
+    -- before clearing the cookie, which invalidates every other session
+    -- that was authenticated with the previous token.
     logout = capture_errors(function (self)
+        if self.params.all_sessions == true
+                or tostring(self.params.all_sessions) == 'true' then
+            local user = self.current_user
+                or (self.session.remember_token and self.session.remember_token ~= ''
+                    and Users:find({ remember_token = self.session.remember_token }))
+            if user then user:rotate_remember_token() end
+        end
         self.session.username = ''
         self.session.user_id = nil
+        self.session.remember_token = nil
+        self.session.impersonator = nil
+        self.session.impersonator_token = nil
         self.session.persist_session = 'false'
         return jsonResponse({
             redirect = (self.params.redirect or self:build_url('/'))
@@ -258,6 +286,10 @@ UserController = {
             )
         end
 
+        -- Email is the recovery channel — if it changed under an attacker,
+        -- every existing session for this account must die.
+        rotate_token_and_sync_session(self, user)
+
         return jsonResponse({
             title = 'Email changed',
             message = 'Email has been updated.',
@@ -306,6 +338,10 @@ UserController = {
             )
         end
 
+        -- A username change is a strong account-takeover signal; rotate
+        -- the token so any other live session for this account is dropped.
+        rotate_token_and_sync_session(self, user)
+
         return jsonResponse({
             title = 'Username changed',
             message = 'Username has been updated.',
@@ -330,7 +366,13 @@ UserController = {
             password = bcrypt_hash(self.params.new_password),
             password_version = PASSWORD_VERSION_BCRYPT,
             salt = '',
+            password_changed_at = db.raw('now()'),
+            updated_at = db.raw('now()')
         })
+        -- Rotate the remember_token so every other device gets logged out.
+        -- Refresh the current session's token so the caller stays logged in.
+        self.session.remember_token =
+            self.current_user:rotate_remember_token()
         return jsonResponse({
             title = 'Password changed',
             message = 'Your password has been changed.',
@@ -423,6 +465,7 @@ UserController = {
                 -- we've deleted ourselves, let's log out
                 self.session.username = ''
                 self.session.user_id = nil
+                self.session.remember_token = nil
                 self.session.persist_session = 'false'
             end
             return jsonResponse({
@@ -690,9 +733,17 @@ UserController = {
                     Users.roles[self.queried_user.role] then
                 yield_error(err.auth)
             else
+                -- Stash the admin's identity so unbecome can restore it.
+                -- We save both username and remember_token so the admin's
+                -- session keeps working even if we swap the cookie's token
+                -- to the target user's.
                 self.session.impersonator = self.current_user.username
+                self.session.impersonator_token =
+                    self.session.remember_token
                 self.current_user = self.queried_user
                 self.session.username = self.queried_user.username
+                self.session.remember_token =
+                    self.queried_user:ensure_remember_token()
             end
         end
         return jsonResponse({
@@ -704,9 +755,11 @@ UserController = {
     unbecome = capture_errors(function (self)
         if self.session.impersonator then
             self.session.username = self.session.impersonator
+            self.session.remember_token = self.session.impersonator_token
             self.current_user =
                 Users:find({ username = self.session.impersonator})
             self.session.impersonator = nil
+            self.session.impersonator_token = nil
             return jsonResponse({
                 message = 'You are now ' .. self.session.username .. ' again',
                 title = 'Unimpersonation',
@@ -732,6 +785,11 @@ UserController = {
         if self.queried_user then
             assert_can_set_role(self, self.params.role)
             self.queried_user:update({ role = self.params.role })
+            -- A banned user must lose every live session — otherwise an
+            -- attacker who keeps an existing cookie keeps their access.
+            if self.params.role == 'banned' then
+                rotate_token_and_sync_session(self, self.queried_user)
+            end
         end
         return jsonResponse({
             message =
@@ -741,6 +799,20 @@ UserController = {
             redirect = self.queried_user:url_for('site')
         })
     end),
+    -- Admin/moderator action: rotate a user's remember_token, which
+    -- invalidates every active session for that account on every device.
+    -- Use this for suspected account takeover or as a manual "kick" tool.
+    force_logout = capture_errors(function (self)
+        assert_min_role(self, 'moderator')
+        assert_user_exists(self)
+        rotate_token_and_sync_session(self, self.queried_user)
+        return jsonResponse({
+            title = 'Sessions terminated',
+            message = 'All sessions for ' ..
+                self.queried_user.username .. ' have been terminated.',
+            redirect = self.queried_user:url_for('site')
+        })
+    end),
     set_teacher = capture_errors(function (self)
         assert_min_role(self, 'moderator')
         if self.queried_user then
@@ -861,6 +933,7 @@ app:match(
                 self.username = escape_html(token.username)
                 self.csrf_token = csrf.generate_token(self)
                 self.min_password_length = Users.MIN_PASSWORD_LENGTH
+                utils.set_no_frame_headers(self)
                 return { render = 'password_reset' }
             end
         ),
@@ -869,6 +942,7 @@ app:match(
                 -- Step 2: User submitted the new password form.
                 -- Validate CSRF token first, without consuming
                 -- the reset token.
+                utils.set_no_frame_headers(self)
                 local valid, csrf_err = csrf.validate_token(self)
                 if not valid then
                     return html_message_page(
@@ -906,13 +980,23 @@ app:match(
                     'password_reset',
                     function (user)
                         -- Store as native bcrypt (version 2) on reset.
+                        -- Rotate the remember_token in the same UPDATE so
+                        -- every existing session for this user is logged
+                        -- out — including any session the attacker may
+                        -- still hold. The user re-logs in fresh.
                         user:update({
                             password = bcrypt_hash(prehash),
                             password_version = PASSWORD_VERSION_BCRYPT,
                             salt = '',
                             password_changed_at = db.raw('now()'),
-                            updated_at = db.raw('now()')
+                            updated_at = db.raw('now()'),
+                            remember_token = secure_token()
                         })
+                        -- Drop any session this browser still has so the
+                        -- "log in" link below is not a no-op.
+                        self.session.username = ''
+                        self.session.remember_token = nil
+                        self.session.user_id = nil
                         send_mail(
                             user.email,
                             mail_subjects.password_changed ..

db/schema.sql

@@ -135,7 +135,8 @@ CREATE TABLE public.users (
     password_changed_at timestamp with time zone,
     updated_at timestamp with time zone,
     last_session_at timestamp with time zone,
-    password_version integer DEFAULT 0 NOT NULL
+    password_version integer DEFAULT 0 NOT NULL,
+    remember_token text
 );
 
 
@@ -164,7 +165,8 @@ CREATE VIEW public.active_users AS
     password_changed_at,
     updated_at,
     last_session_at,
-    password_version
+    password_version,
+    remember_token
    FROM public.users
   WHERE (deleted IS NULL);
 
@@ -610,6 +612,14 @@ ALTER TABLE ONLY public.users
     ADD CONSTRAINT users_unique_email_key UNIQUE (unique_email);
 
 
+--
+-- Name: users users_remember_token_key; Type: CONSTRAINT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY public.users
+    ADD CONSTRAINT users_remember_token_key UNIQUE (remember_token);
+
+
 --
 -- Name: tokens value_pkey; Type: CONSTRAINT; Schema: public; Owner: -
 --