using Management.Data;
using Management.Security;
using Microsoft.AspNetCore.Mvc;
namespace Management.Controllers.Admin;
///
/// Admin endpoints for session management.
/// Requires Admin role.
///
/// ENDPOINTS:
/// GET /api/admin/sessions - List sessions
/// POST /api/admin/sessions/{id}/revoke - Revoke session
/// POST /api/admin/users/{id}/revoke-sessions - Revoke all user sessions
/// POST /api/admin/sessions/cleanup - Cleanup expired sessions
///
[ApiController]
[Route("api/admin/sessions")]
public sealed class AdminSessionsController : AdminControllerBase
{
public AdminSessionsController(SqlService sql, ClientContext client, ILogger log)
: base(sql, client, log) { }
///
/// List sessions with optional filtering.
///
[HttpGet]
public Task List(
[FromQuery] string? clientId,
[FromQuery] string? userId,
[FromQuery] bool activeOnly = true,
[FromQuery] int limit = 100,
CancellationToken ct = default)
=> CallProc("spAdminSessions", "list", new { clientId, userId, activeOnly, limit }, ct);
///
/// Revoke a session.
///
[HttpPost("{sessionId}/revoke")]
public Task Revoke(string sessionId, CancellationToken ct)
{
Logger.LogWarning("[Admin] RevokeSession | SessionId={SessionId} | By={User}", sessionId, Client.Email);
return CallProc("spAdminSessions", "revoke", new { sessionId }, ct);
}
///
/// Revoke all sessions for a user.
///
[HttpPost("~/api/admin/users/{userId}/revoke-sessions")]
public Task RevokeAllForUser(string userId, CancellationToken ct)
{
Logger.LogWarning("[Admin] RevokeAllSessions | UserId={UserId} | By={User}", userId, Client.Email);
return CallProc("spAdminSessions", "revokeAllForUser", new { userId }, ct);
}
///
/// Cleanup expired sessions.
///
[HttpPost("cleanup")]
public Task Cleanup([FromQuery] int daysOld = 30, CancellationToken ct = default)
{
Logger.LogWarning("[Admin] CleanupSessions | DaysOld={DaysOld} | By={User}", daysOld, Client.Email);
return CallProc("spAdminSessions", "cleanup", new { daysOld }, ct);
}
}