Merge branch 'dev' into fix/rebac-env-sync-issue

backend/internal/handler/auth_handler_async_test.go

@@ -80,6 +80,7 @@ func (m *AsyncMockUserRepo) Create(ctx context.Context, user *domain.User) error
 	}
 	return args.Error(0)
 }
+
 func (m *AsyncMockUserRepo) Update(ctx context.Context, user *domain.User) error {
 	args := m.Called(ctx, user)
 	if m.createCalled != nil {
@@ -87,6 +88,7 @@ func (m *AsyncMockUserRepo) Update(ctx context.Context, user *domain.User) error
 	}
 	return args.Error(0)
 }
+
 func (m *AsyncMockUserRepo) Delete(ctx context.Context, id string) error { return nil }
 func (m *AsyncMockUserRepo) FindByEmail(ctx context.Context, email string) (*domain.User, error) {
 	return nil, nil

backend/internal/handler/auth_handler_linked_test.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 	"time"
 
@@ -45,11 +46,14 @@ func TestListLinkedRps_PriorityAndAggregation(t *testing.T) {
 				return httpJSONAny(r, http.StatusOK, []map[string]interface{}{
 					{
 						"client": map[string]interface{}{
-							"client_id":   "client-active",
-							"client_name": "Active App",
+							"client_id":   "devfront",
+							"client_name": "DevFront",
+							"redirect_uris": []string{
+								"https://active.example.com/callback",
+							},
 						},
-						"granted_scope": []string{"openid"},
-						"handled_at":    time.Now().Format(time.RFC3339),
+						"grant_scope": []string{"openid", "profile"},
+						"handled_at":  time.Now().Format(time.RFC3339),
 					},
 				}), nil
 			}
@@ -111,6 +115,8 @@ func TestListLinkedRps_PriorityAndAggregation(t *testing.T) {
 
 	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
 	t.Setenv("KRATOS_ADMIN_URL", "http://kratos.test")
+	t.Setenv("HYDRA_PUBLIC_URL", "https://sso.example.com/oidc")
+	t.Setenv("DEVFRONT_URL", "http://localhost:5174")
 
 	app := newLinkedRpTestApp(h)
 
@@ -123,10 +129,11 @@ func TestListLinkedRps_PriorityAndAggregation(t *testing.T) {
 
 	var res struct {
 		Items []struct {
-			ID     string   `json:"id"`
-			Name   string   `json:"name"`
-			Status string   `json:"status"`
-			Scopes []string `json:"scopes"`
+			ID      string   `json:"id"`
+			Name    string   `json:"name"`
+			Status  string   `json:"status"`
+			Scopes  []string `json:"scopes"`
+			InitURL string   `json:"init_url"`
 		} `json:"items"`
 	}
 	json.NewDecoder(resp.Body).Decode(&res)
@@ -138,7 +145,108 @@ func TestListLinkedRps_PriorityAndAggregation(t *testing.T) {
 		statusMap[item.ID] = item.Status
 	}
 
-	assert.Equal(t, "active", statusMap["client-active"])
+	assert.Equal(t, "active", statusMap["devfront"])
 	assert.Equal(t, "inactive", statusMap["client-consent"])
 	assert.Equal(t, "inactive", statusMap["client-audit"])
+
+	var activeInitURL string
+	for _, item := range res.Items {
+		if item.ID == "devfront" {
+			activeInitURL = item.InitURL
+			break
+		}
+	}
+
+	parsedInitURL, err := url.Parse(activeInitURL)
+	assert.NoError(t, err)
+	assert.Equal(t, "http", parsedInitURL.Scheme)
+	assert.Equal(t, "localhost:5174", parsedInitURL.Host)
+	assert.Equal(t, "/login", parsedInitURL.Path)
+	assert.Equal(t, "1", parsedInitURL.Query().Get("auto"))
+	assert.Equal(t, "/clients", parsedInitURL.Query().Get("returnTo"))
+}
+
+func TestListLinkedRps_EnrichesLogoFromHydraClientWhenConsentSessionOmitsMetadata(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		switch r.URL.Host {
+		case "kratos.test":
+			if r.URL.Path == "/sessions/whoami" {
+				return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+					"identity": map[string]interface{}{
+						"id": "user-123",
+					},
+				}), nil
+			}
+		case "hydra.test":
+			if r.URL.Path == "/oauth2/auth/sessions/consent" {
+				return httpJSONAny(r, http.StatusOK, []map[string]interface{}{
+					{
+						"client": map[string]interface{}{
+							"client_id":   "gitea-client",
+							"client_name": "Gitea",
+							"redirect_uris": []string{
+								"https://gitea.example.com/callback",
+							},
+						},
+						"grant_scope": []string{"openid", "profile"},
+						"handled_at":  time.Now().Format(time.RFC3339),
+					},
+				}), nil
+			}
+			if r.URL.Path == "/clients/gitea-client" {
+				return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+					"client_id":   "gitea-client",
+					"client_name": "Gitea",
+					"redirect_uris": []string{
+						"https://gitea.example.com/callback",
+					},
+					"metadata": map[string]interface{}{
+						"logo_url": "https://cdn.example.com/gitea.svg",
+					},
+				}), nil
+			}
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+
+	client := &http.Client{Transport: transport}
+
+	origDefault := http.DefaultClient
+	http.DefaultClient = client
+	defer func() {
+		http.DefaultClient = origDefault
+	}()
+
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+		KratosAdmin: new(MockKratosAdminService),
+	}
+
+	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
+	t.Setenv("KRATOS_ADMIN_URL", "http://kratos.test")
+	t.Setenv("HYDRA_PUBLIC_URL", "https://sso.example.com/oidc")
+
+	app := newLinkedRpTestApp(h)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/user/rp/linked", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+
+	resp, err := app.Test(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var res struct {
+		Items []struct {
+			ID   string `json:"id"`
+			Logo string `json:"logo"`
+		} `json:"items"`
+	}
+	json.NewDecoder(resp.Body).Decode(&res)
+
+	assert.Len(t, res.Items, 1)
+	assert.Equal(t, "gitea-client", res.Items[0].ID)
+	assert.Equal(t, "https://cdn.example.com/gitea.svg", res.Items[0].Logo)
 }

backend/internal/handler/auth_handler_login_test.go

@@ -7,6 +7,7 @@ package handler
 
 import (
 	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/middleware"
 	"baron-sso-backend/internal/service"
 	"bytes"
 	"context"
@@ -122,6 +123,27 @@ func (m *MockKratosAdminService) DeleteIdentity(ctx context.Context, identityID
 	return nil
 }
 
+func (m *MockKratosAdminService) ListIdentitySessions(ctx context.Context, identityID string) ([]service.KratosSession, error) {
+	args := m.Called(ctx, identityID)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).([]service.KratosSession), args.Error(1)
+}
+
+func (m *MockKratosAdminService) GetSession(ctx context.Context, sessionID string) (*service.KratosSession, error) {
+	args := m.Called(ctx, sessionID)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(*service.KratosSession), args.Error(1)
+}
+
+func (m *MockKratosAdminService) DeleteSession(ctx context.Context, sessionID string) error {
+	args := m.Called(ctx, sessionID)
+	return args.Error(0)
+}
+
 // --- Helper ---
 
 func newAuthLoginTestApp(h *AuthHandler) *fiber.App {
@@ -616,6 +638,156 @@ func TestPasswordLogin_OIDC_Success(t *testing.T) {
 	}
 }
 
+func TestPasswordLogin_OIDC_AuditIncludesClientMetadata(t *testing.T) {
+	mockIdp := new(MockIdentityProvider)
+	mockIdp.On("SignIn", "user@example.com", "password").Return(&domain.AuthInfo{
+		SessionToken: &domain.Token{JWT: "valid-jwt", SessionID: "session-123"},
+		Subject:      "kratos-identity-id",
+	}, nil)
+
+	hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch {
+		case strings.Contains(r.URL.Path, "/oauth2/auth/requests/login") && r.Method == http.MethodGet:
+			json.NewEncoder(w).Encode(domain.HydraLoginRequest{
+				Challenge: "challenge-123",
+				Client: domain.HydraClient{
+					ClientID:   "devfront",
+					ClientName: "DevFront",
+					Metadata:   map[string]interface{}{"status": "active"},
+				},
+			})
+		case strings.Contains(r.URL.Path, "/oauth2/auth/requests/login/accept") && r.Method == http.MethodPut:
+			json.NewEncoder(w).Encode(map[string]string{"redirect_to": "http://rp/cb"})
+		default:
+			http.NotFound(w, r)
+		}
+	})
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("FindIdentityIDByIdentifier", mock.Anything, "user@example.com").Return("kratos-identity-id", nil)
+
+	auditRepo := &mockAuditRepo{}
+	h := &AuthHandler{
+		IdpProvider: mockIdp,
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: mockHydraTransport(hydraHandler)},
+		},
+	}
+
+	app := fiber.New()
+	app.Use(middleware.AuditMiddleware(middleware.AuditConfig{
+		Repo:     auditRepo,
+		BodyDump: true,
+	}))
+	app.Post("/api/v1/auth/password/login", h.PasswordLogin)
+
+	body, _ := json.Marshal(map[string]string{
+		"loginId":         "user@example.com",
+		"password":        "password",
+		"login_challenge": "challenge-123",
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/password/login", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		t.Fatalf("expected 200, got %d, body: %s", resp.StatusCode, string(bodyBytes))
+	}
+
+	if len(auditRepo.logs) != 1 {
+		t.Fatalf("expected 1 audit log, got %d", len(auditRepo.logs))
+	}
+
+	log := auditRepo.logs[0]
+	if log.EventType != "POST /api/v1/auth/password/login" {
+		t.Fatalf("expected password login audit event, got %q", log.EventType)
+	}
+	if log.UserID != "kratos-identity-id" {
+		t.Fatalf("expected audit user_id kratos-identity-id, got %q", log.UserID)
+	}
+
+	details, err := parseAuditDetails(log.Details)
+	if err != nil {
+		t.Fatalf("failed to parse audit details: %v", err)
+	}
+	if got, _ := details["client_id"].(string); got != "devfront" {
+		t.Fatalf("expected client_id devfront, got %v", details["client_id"])
+	}
+	if got, _ := details["client_name"].(string); got != "DevFront" {
+		t.Fatalf("expected client_name DevFront, got %v", details["client_name"])
+	}
+}
+
+func TestPasswordLogin_UserFront_AuditIncludesDefaultClientMetadata(t *testing.T) {
+	mockIdp := new(MockIdentityProvider)
+	mockIdp.On("SignIn", "user@example.com", "password").Return(&domain.AuthInfo{
+		SessionToken: &domain.Token{JWT: "valid-jwt", SessionID: "session-123"},
+		Subject:      "kratos-identity-id",
+	}, nil)
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("FindIdentityIDByIdentifier", mock.Anything, "user@example.com").Return("kratos-identity-id", nil)
+
+	auditRepo := &mockAuditRepo{}
+	h := &AuthHandler{
+		IdpProvider: mockIdp,
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+	}
+
+	app := fiber.New()
+	app.Use(middleware.AuditMiddleware(middleware.AuditConfig{
+		Repo:     auditRepo,
+		BodyDump: true,
+	}))
+	app.Post("/api/v1/auth/password/login", h.PasswordLogin)
+
+	body, _ := json.Marshal(map[string]string{
+		"loginId":  "user@example.com",
+		"password": "password",
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/password/login", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		t.Fatalf("expected 200, got %d, body: %s", resp.StatusCode, string(bodyBytes))
+	}
+
+	if len(auditRepo.logs) != 1 {
+		t.Fatalf("expected 1 audit log, got %d", len(auditRepo.logs))
+	}
+	if auditRepo.logs[0].UserID != "kratos-identity-id" {
+		t.Fatalf("expected audit user_id kratos-identity-id, got %q", auditRepo.logs[0].UserID)
+	}
+
+	details, err := parseAuditDetails(auditRepo.logs[0].Details)
+	if err != nil {
+		t.Fatalf("failed to parse audit details: %v", err)
+	}
+	if got, _ := details["client_id"].(string); got != "userfront" {
+		t.Fatalf("expected client_id userfront, got %v", details["client_id"])
+	}
+	if got, _ := details["client_name"].(string); got != "UserFront" {
+		t.Fatalf("expected client_name UserFront, got %v", details["client_name"])
+	}
+}
+
 func TestHeadlessPasswordLogin_HeadlessLoginClientSuccess(t *testing.T) {
 	mockIdp := new(MockIdentityProvider)
 	mockIdp.On("SignIn", "employee001", "password").Return(&domain.AuthInfo{

backend/internal/handler/auth_handler_sessions_test.go

@@ -0,0 +1,685 @@
+package handler
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/service"
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+func TestListMySessions_Success(t *testing.T) {
+	now := time.Date(2026, 4, 2, 1, 2, 3, 0, time.UTC)
+	setDefaultHTTPClientForTest(t, roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/sessions/whoami" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id":               "current-sid",
+				"authenticated_at": now.Format(time.RFC3339),
+				"identity": map[string]any{
+					"id": "user-123",
+					"traits": map[string]any{
+						"email": "user@example.com",
+						"name":  "User",
+						"role":  "user",
+					},
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	}))
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{
+			ID:              "current-sid",
+			Active:          true,
+			AuthenticatedAt: now,
+			ExpiresAt:       now.Add(24 * time.Hour),
+		},
+		{
+			ID:              "other-sid",
+			Active:          true,
+			AuthenticatedAt: now.Add(-2 * time.Hour),
+			ExpiresAt:       now.Add(22 * time.Hour),
+		},
+	}, nil).Once()
+
+	auditRepo := &mockAuditRepo{
+		logs: []domain.AuditLog{
+			{
+				UserID:    "user-123",
+				EventType: "login_success",
+				SessionID: "other-sid",
+				Timestamp: now.Add(-30 * time.Minute),
+				IPAddress: "203.0.113.10",
+				UserAgent: "Mozilla/5.0",
+			},
+		},
+	}
+
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+	}
+
+	app := fiber.New()
+	app.Get("/api/v1/user/sessions", h.ListMySessions)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/user/sessions", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body struct {
+		Items []struct {
+			SessionID string `json:"session_id"`
+			IsCurrent bool   `json:"is_current"`
+			IsActive  bool   `json:"is_active"`
+			IPAddress string `json:"ip_address"`
+			UserAgent string `json:"user_agent"`
+		} `json:"items"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&body)
+	assert.NoError(t, err)
+	if assert.Len(t, body.Items, 2) {
+		assert.Equal(t, "current-sid", body.Items[0].SessionID)
+		assert.True(t, body.Items[0].IsCurrent)
+		assert.Equal(t, "other-sid", body.Items[1].SessionID)
+		assert.True(t, body.Items[1].IsActive)
+		assert.Equal(t, "203.0.113.10", body.Items[1].IPAddress)
+		assert.Equal(t, "Mozilla/5.0", body.Items[1].UserAgent)
+	}
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestListMySessions_UsesConsentGrantForAppName(t *testing.T) {
+	now := time.Date(2026, 4, 2, 4, 40, 0, 0, time.UTC)
+	setDefaultHTTPClientForTest(t, roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/sessions/whoami" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id":               "current-sid",
+				"authenticated_at": now.Format(time.RFC3339),
+				"identity": map[string]any{
+					"id": "user-123",
+					"traits": map[string]any{
+						"email": "user@example.com",
+						"name":  "User",
+						"role":  "user",
+					},
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	}))
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{
+			ID:              "current-sid",
+			Active:          true,
+			AuthenticatedAt: now,
+			ExpiresAt:       now.Add(24 * time.Hour),
+		},
+		{
+			ID:              "c7c721ea-session",
+			Active:          true,
+			AuthenticatedAt: now.Add(-5 * time.Minute),
+			ExpiresAt:       now.Add(23*time.Hour + 55*time.Minute),
+		},
+	}, nil).Once()
+
+	auditRepo := &mockAuditRepo{
+		logs: []domain.AuditLog{
+			{
+				UserID:    "user-123",
+				EventType: "consent.granted",
+				SessionID: "c7c721ea-session",
+				Timestamp: now,
+				Details:   `{"client_id":"devfront","client_name":"DevFront","session_id":"c7c721ea-session","approved_session_id":"c7c721ea-session"}`,
+			},
+		},
+	}
+
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+	}
+
+	app := fiber.New()
+	app.Get("/api/v1/user/sessions", h.ListMySessions)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/user/sessions", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body struct {
+		Items []struct {
+			SessionID string `json:"session_id"`
+			AppName   string `json:"app_name"`
+			ClientID  string `json:"client_id"`
+		} `json:"items"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&body)
+	assert.NoError(t, err)
+	if assert.Len(t, body.Items, 2) {
+		assert.Equal(t, "c7c721ea-session", body.Items[1].SessionID)
+		assert.Equal(t, "DevFront", body.Items[1].AppName)
+		assert.Equal(t, "devfront", body.Items[1].ClientID)
+	}
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestListMySessions_PreservesAppNameFromOlderConsentGrant(t *testing.T) {
+	now := time.Date(2026, 4, 2, 4, 40, 0, 0, time.UTC)
+	setDefaultHTTPClientForTest(t, roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/sessions/whoami" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id":               "current-sid",
+				"authenticated_at": now.Format(time.RFC3339),
+				"identity": map[string]any{
+					"id": "user-123",
+					"traits": map[string]any{
+						"email": "user@example.com",
+						"name":  "User",
+						"role":  "user",
+					},
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	}))
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{
+			ID:              "current-sid",
+			Active:          true,
+			AuthenticatedAt: now,
+			ExpiresAt:       now.Add(24 * time.Hour),
+		},
+		{
+			ID:              "c7c721ea-session",
+			Active:          true,
+			AuthenticatedAt: now.Add(-5 * time.Minute),
+			ExpiresAt:       now.Add(23*time.Hour + 55*time.Minute),
+		},
+	}, nil).Once()
+
+	auditRepo := &mockAuditRepo{
+		logs: []domain.AuditLog{
+			{
+				UserID:    "user-123",
+				EventType: "consent.granted",
+				SessionID: "c7c721ea-session",
+				Timestamp: now.Add(-30 * time.Second),
+				IPAddress: "203.0.113.10",
+				Details:   `{"client_id":"devfront","client_name":"DevFront","session_id":"c7c721ea-session"}`,
+			},
+			{
+				UserID:    "user-123",
+				EventType: "login_success",
+				SessionID: "c7c721ea-session",
+				Timestamp: now,
+				IPAddress: "10.0.0.12",
+				UserAgent: "Mozilla/5.0",
+			},
+		},
+	}
+
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+	}
+
+	app := fiber.New()
+	app.Get("/api/v1/user/sessions", h.ListMySessions)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/user/sessions", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body struct {
+		Items []struct {
+			SessionID string `json:"session_id"`
+			AppName   string `json:"app_name"`
+			ClientID  string `json:"client_id"`
+			IPAddress string `json:"ip_address"`
+		} `json:"items"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&body)
+	assert.NoError(t, err)
+	if assert.Len(t, body.Items, 2) {
+		assert.Equal(t, "c7c721ea-session", body.Items[1].SessionID)
+		assert.Equal(t, "DevFront", body.Items[1].AppName)
+		assert.Equal(t, "devfront", body.Items[1].ClientID)
+		assert.Equal(t, "203.0.113.10", body.Items[1].IPAddress)
+	}
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestListMySessions_CurrentSessionFallsBackToRequestMetadata(t *testing.T) {
+	now := time.Date(2026, 4, 6, 1, 2, 3, 0, time.UTC)
+	setDefaultHTTPClientForTest(t, roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/sessions/whoami" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id":               "current-sid",
+				"authenticated_at": now.Format(time.RFC3339),
+				"identity": map[string]any{
+					"id": "user-123",
+					"traits": map[string]any{
+						"email": "user@example.com",
+						"name":  "User",
+						"role":  "user",
+					},
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	}))
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{
+			ID:              "current-sid",
+			Active:          true,
+			AuthenticatedAt: now,
+			ExpiresAt:       now.Add(24 * time.Hour),
+		},
+	}, nil).Once()
+
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   &mockAuditRepo{},
+	}
+
+	app := fiber.New()
+	app.Get("/api/v1/user/sessions", h.ListMySessions)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/user/sessions", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+	req.Header.Set("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/146.0.0.0 Safari/537.36")
+	req.Header.Set("X-Forwarded-For", "100.100.100.1, 203.0.113.25")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body struct {
+		Items []struct {
+			SessionID string `json:"session_id"`
+			IsCurrent bool   `json:"is_current"`
+			IPAddress string `json:"ip_address"`
+			UserAgent string `json:"user_agent"`
+			ClientID  string `json:"client_id"`
+			AppName   string `json:"app_name"`
+		} `json:"items"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&body)
+	assert.NoError(t, err)
+	if assert.Len(t, body.Items, 1) {
+		assert.Equal(t, "current-sid", body.Items[0].SessionID)
+		assert.True(t, body.Items[0].IsCurrent)
+		assert.Equal(t, "203.0.113.25", body.Items[0].IPAddress)
+		assert.Contains(t, body.Items[0].UserAgent, "Mozilla/5.0")
+		assert.Equal(t, "userfront", body.Items[0].ClientID)
+		assert.Equal(t, "UserFront", body.Items[0].AppName)
+	}
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestDeleteMySession_Success(t *testing.T) {
+	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
+	var hydraRevokeCalls int
+	client := &http.Client{Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		switch r.URL.Host {
+		case "kratos.test":
+			if r.URL.Path == "/sessions/whoami" {
+				return httpJSONAny(r, http.StatusOK, map[string]any{
+					"id":               "current-sid",
+					"authenticated_at": time.Now().UTC().Format(time.RFC3339),
+					"identity": map[string]any{
+						"id": "user-123",
+						"traits": map[string]any{
+							"email": "user@example.com",
+							"name":  "User",
+							"role":  "user",
+						},
+					},
+				}), nil
+			}
+		case "hydra.test":
+			if r.Method == http.MethodDelete && r.URL.Path == "/oauth2/auth/sessions/consent" {
+				if r.URL.Query().Get("subject") != "user-123" {
+					t.Fatalf("unexpected revoke subject: %s", r.URL.Query().Get("subject"))
+				}
+				if r.URL.Query().Get("client") != "devfront" {
+					t.Fatalf("unexpected revoke client: %s", r.URL.Query().Get("client"))
+				}
+				hydraRevokeCalls++
+				return httpResponse(r, http.StatusNoContent, ""), nil
+			}
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})}
+	setDefaultHTTPClientForTest(t, client.Transport)
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{ID: "target-sid", Active: true},
+	}, nil).Once()
+	mockKratos.On("GetSession", mock.Anything, "target-sid").Return(&service.KratosSession{
+		ID:     "target-sid",
+		Active: true,
+	}, nil).Once()
+	mockKratos.On("DeleteSession", mock.Anything, "target-sid").Return(nil).Once()
+
+	auditRepo := &mockAuditRepo{}
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+	}
+	auditRepo.logs = append(auditRepo.logs, domain.AuditLog{
+		UserID:    "user-123",
+		EventType: "POST /api/v1/auth/oidc/login/accept",
+		SessionID: "target-sid",
+		Details:   `{"client_id":"devfront","client_name":"Devfront"}`,
+	})
+
+	app := fiber.New()
+	app.Delete("/api/v1/user/sessions/:id", h.DeleteMySession)
+
+	req := httptest.NewRequest(http.MethodDelete, "/api/v1/user/sessions/target-sid", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+	req.Header.Set("User-Agent", "session-test-agent")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	if assert.Len(t, auditRepo.logs, 2) {
+		assert.Equal(t, "session.revoked", auditRepo.logs[len(auditRepo.logs)-1].EventType)
+		assert.Equal(t, "user-123", auditRepo.logs[len(auditRepo.logs)-1].UserID)
+		assert.Equal(t, "current-sid", auditRepo.logs[len(auditRepo.logs)-1].SessionID)
+		assert.Contains(t, auditRepo.logs[len(auditRepo.logs)-1].Details, "target-sid")
+	}
+	assert.Equal(t, 1, hydraRevokeCalls)
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestDeleteMySession_DoesNotRevokeAllHydraSessionsWhenClientBindingMissing(t *testing.T) {
+	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
+	var hydraRevokeCalls int
+	client := &http.Client{Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		switch r.URL.Host {
+		case "kratos.test":
+			if r.URL.Path == "/sessions/whoami" {
+				return httpJSONAny(r, http.StatusOK, map[string]any{
+					"id":               "current-sid",
+					"authenticated_at": time.Now().UTC().Format(time.RFC3339),
+					"identity": map[string]any{
+						"id": "user-123",
+						"traits": map[string]any{
+							"email": "user@example.com",
+							"name":  "User",
+							"role":  "user",
+						},
+					},
+				}), nil
+			}
+		case "hydra.test":
+			if r.Method == http.MethodDelete && r.URL.Path == "/oauth2/auth/sessions/consent" {
+				hydraRevokeCalls++
+				return httpResponse(r, http.StatusNoContent, ""), nil
+			}
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})}
+	setDefaultHTTPClientForTest(t, client.Transport)
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{ID: "target-sid", Active: true},
+	}, nil).Once()
+	mockKratos.On("GetSession", mock.Anything, "target-sid").Return(&service.KratosSession{
+		ID:     "target-sid",
+		Active: true,
+	}, nil).Once()
+	mockKratos.On("DeleteSession", mock.Anything, "target-sid").Return(nil).Once()
+
+	auditRepo := &mockAuditRepo{}
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+	}
+
+	app := fiber.New()
+	app.Delete("/api/v1/user/sessions/:id", h.DeleteMySession)
+
+	req := httptest.NewRequest(http.MethodDelete, "/api/v1/user/sessions/target-sid", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+	req.Header.Set("User-Agent", "session-test-agent")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.Equal(t, 0, hydraRevokeCalls)
+	if assert.Len(t, auditRepo.logs, 1) {
+		assert.Equal(t, "session.revoked", auditRepo.logs[0].EventType)
+		assert.Equal(t, "user-123", auditRepo.logs[0].UserID)
+		assert.Contains(t, auditRepo.logs[0].Details, "target-sid")
+	}
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestDeleteMySession_RevokesHydraClientBoundFromPasswordLoginAudit(t *testing.T) {
+	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
+	var hydraRevokeCalls int
+	var revokedClient string
+	client := &http.Client{Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		switch r.URL.Host {
+		case "kratos.test":
+			if r.URL.Path == "/sessions/whoami" {
+				return httpJSONAny(r, http.StatusOK, map[string]any{
+					"id":               "current-sid",
+					"authenticated_at": time.Now().UTC().Format(time.RFC3339),
+					"identity": map[string]any{
+						"id": "user-123",
+						"traits": map[string]any{
+							"email": "user@example.com",
+							"name":  "User",
+							"role":  "user",
+						},
+					},
+				}), nil
+			}
+		case "hydra.test":
+			if r.Method == http.MethodDelete && r.URL.Path == "/oauth2/auth/sessions/consent" {
+				revokedClient = r.URL.Query().Get("client")
+				hydraRevokeCalls++
+				return httpResponse(r, http.StatusNoContent, ""), nil
+			}
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})}
+	setDefaultHTTPClientForTest(t, client.Transport)
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{ID: "target-sid", Active: true},
+	}, nil).Once()
+	mockKratos.On("GetSession", mock.Anything, "target-sid").Return(&service.KratosSession{
+		ID:     "target-sid",
+		Active: true,
+	}, nil).Once()
+	mockKratos.On("DeleteSession", mock.Anything, "target-sid").Return(nil).Once()
+
+	auditRepo := &mockAuditRepo{}
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+	}
+	auditRepo.logs = append(auditRepo.logs, domain.AuditLog{
+		UserID:    "user-123",
+		EventType: "POST /api/v1/auth/password/login",
+		SessionID: "target-sid",
+		Details:   `{"client_id":"adminfront","client_name":"AdminFront","session_id":"target-sid"}`,
+	})
+
+	app := fiber.New()
+	app.Delete("/api/v1/user/sessions/:id", h.DeleteMySession)
+
+	req := httptest.NewRequest(http.MethodDelete, "/api/v1/user/sessions/target-sid", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+	req.Header.Set("User-Agent", "session-test-agent")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.Equal(t, 1, hydraRevokeCalls)
+	assert.Equal(t, "adminfront", revokedClient)
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestGetHydraProfile_RejectsInactiveLinkedSession(t *testing.T) {
+	client := &http.Client{Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Host == "hydra.test" && r.URL.Path == "/oauth2/introspect" {
+			body, _ := io.ReadAll(r.Body)
+			if string(body) != "token=opaque-token" {
+				t.Fatalf("unexpected introspect body: %s", string(body))
+			}
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"active":    true,
+				"sub":       "user-123",
+				"client_id": "devfront",
+				"ext": map[string]any{
+					"session_id": "target-sid",
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})}
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("GetSession", mock.Anything, "target-sid").Return(&service.KratosSession{
+		ID:     "target-sid",
+		Active: false,
+		Identity: &service.KratosIdentity{
+			ID: "user-123",
+		},
+	}, nil).Once()
+
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+	}
+
+	profile, err := h.getHydraProfile(context.Background(), "opaque-token")
+	assert.Nil(t, profile)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "inactive")
+	mockKratos.AssertExpectations(t)
+}
+
+func TestGetAuthTimeline_FillsSessionIDFromOathkeeperRaw(t *testing.T) {
+	now := time.Date(2026, 4, 7, 4, 39, 0, 0, time.UTC)
+	setDefaultHTTPClientForTest(t, roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/sessions/whoami" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id":               "current-sid",
+				"authenticated_at": now.Format(time.RFC3339),
+				"identity": map[string]any{
+					"id": "user-123",
+					"traits": map[string]any{
+						"email": "user@example.com",
+						"name":  "User",
+						"role":  "user",
+					},
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	}))
+
+	h := &AuthHandler{
+		AuditRepo: &mockAuditRepo{},
+		OathkeeperRepo: &mockOathkeeperRepo{
+			logs: []domain.OathkeeperAccessLog{
+				{
+					Timestamp: now,
+					RequestID: "req-1",
+					Method:    http.MethodGet,
+					Path:      "/api/v1/dev/sessions",
+					Status:    http.StatusOK,
+					Subject:   "user-123",
+					ClientIP:  "203.0.113.7",
+					UserAgent: "Mozilla/5.0",
+					Raw:       `{"request":{"url":"https://devfront.example.com/callback?client_id=devfront"},"extra":{"session_id":"target-sid"}}`,
+				},
+			},
+		},
+	}
+
+	app := fiber.New()
+	app.Get("/api/v1/audit/auth/timeline", h.GetAuthTimeline)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/audit/auth/timeline", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body struct {
+		Items []struct {
+			SessionID string `json:"session_id"`
+			ClientID  string `json:"client_id"`
+			AppName   string `json:"app_name"`
+			Source    string `json:"source"`
+		} `json:"items"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&body)
+	assert.NoError(t, err)
+	if assert.Len(t, body.Items, 1) {
+		assert.Equal(t, "target-sid", body.Items[0].SessionID)
+		assert.Equal(t, "devfront", body.Items[0].ClientID)
+		assert.Equal(t, "devfront", body.Items[0].AppName)
+		assert.Equal(t, "oathkeeper", body.Items[0].Source)
+	}
+}

backend/internal/handler/common_test.go

@@ -115,6 +115,25 @@ func (m *mockAuditRepo) CountActiveSessionsSince(ctx context.Context, since time
 
 func (m *mockAuditRepo) Ping(ctx context.Context) error { return nil }
 
+type mockOathkeeperRepo struct {
+	logs []domain.OathkeeperAccessLog
+}
+
+func (m *mockOathkeeperRepo) FindPageBySubject(ctx context.Context, subject string, limit int, cursor *domain.AuditCursor) ([]domain.OathkeeperAccessLog, error) {
+	if subject == "" {
+		return m.logs, nil
+	}
+	results := make([]domain.OathkeeperAccessLog, 0, len(m.logs))
+	for _, log := range m.logs {
+		if log.Subject == subject {
+			results = append(results, log)
+		}
+	}
+	return results, nil
+}
+
+func (m *mockOathkeeperRepo) Ping(ctx context.Context) error { return nil }
+
 // --- Mock Consent Repository ---
 
 type mockConsentRepo struct {

backend/internal/handler/user_handler_test.go

@@ -56,6 +56,26 @@ func (m *MockKratosAdmin) DeleteIdentity(ctx context.Context, id string) error {
 	return m.Called(ctx, id).Error(0)
 }
 
+func (m *MockKratosAdmin) ListIdentitySessions(ctx context.Context, identityID string) ([]service.KratosSession, error) {
+	args := m.Called(ctx, identityID)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).([]service.KratosSession), args.Error(1)
+}
+
+func (m *MockKratosAdmin) GetSession(ctx context.Context, sessionID string) (*service.KratosSession, error) {
+	args := m.Called(ctx, sessionID)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(*service.KratosSession), args.Error(1)
+}
+
+func (m *MockKratosAdmin) DeleteSession(ctx context.Context, sessionID string) error {
+	return m.Called(ctx, sessionID).Error(0)
+}
+
 type MockOryProvider struct {
 	mock.Mock
 }

backend/internal/middleware/audit_middleware.go

@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"log/slog"
 	"reflect"
-	"strings"
 	"sync"
 	"time"
 
@@ -217,16 +216,5 @@ func AuditMiddleware(config AuditConfig) fiber.Handler {
 }
 
 func extractClientIP(c *fiber.Ctx) string {
-	if forwarded := c.Get("X-Forwarded-For"); forwarded != "" {
-		parts := strings.Split(forwarded, ",")
-		if len(parts) > 0 {
-			if ip := strings.TrimSpace(parts[0]); ip != "" {
-				return ip
-			}
-		}
-	}
-	if realIP := strings.TrimSpace(c.Get("X-Real-IP")); realIP != "" {
-		return realIP
-	}
-	return c.IP()
+	return utils.ResolveClientIP(c.Get("X-Forwarded-For"), c.Get("X-Real-IP"), c.IP())
 }

backend/internal/middleware/audit_middleware_test.go

@@ -117,6 +117,30 @@ func TestAuditMiddleware(t *testing.T) {
 		mockRepo.AssertExpectations(t)
 	})
 
+	t.Run("POST request - Prefer public forwarded IP", func(t *testing.T) {
+		app := fiber.New()
+		mockRepo := new(MockAuditRepository)
+
+		app.Use(AuditMiddleware(AuditConfig{
+			Repo: mockRepo,
+		}))
+
+		app.Post("/test", func(c *fiber.Ctx) error {
+			return c.SendStatus(fiber.StatusOK)
+		})
+
+		mockRepo.On("Create", mock.MatchedBy(func(log *domain.AuditLog) bool {
+			return log.IPAddress == "203.0.113.25"
+		})).Return(nil)
+
+		req := httptest.NewRequest("POST", "/test", nil)
+		req.Header.Set("X-Forwarded-For", "100.100.100.1, 203.0.113.25")
+
+		resp, _ := app.Test(req)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+		mockRepo.AssertExpectations(t)
+	})
+
 	t.Run("POST request - Sync Failure (Strict Mode)", func(t *testing.T) {
 		app := fiber.New()
 		mockRepo := new(MockAuditRepository)

backend/internal/service/hydra_admin_service.go

@@ -264,6 +264,8 @@ func (s *HydraAdminService) RevokeConsentSessions(ctx context.Context, subject,
 	}
 	if clientID != "" {
 		params["client"] = clientID
+	} else {
+		params["all"] = "true"
 	}
 	endpoint, err := s.buildURLWithParams("/oauth2/auth/sessions/consent", params)
 	if err != nil {

backend/internal/service/kratos_admin_service.go

@@ -28,6 +28,21 @@ type KratosIdentity struct {
 	UpdatedAt      time.Time              `json:"updated_at,omitempty"`
 }
 
+type KratosSessionDevice struct {
+	UserAgent string `json:"user_agent,omitempty"`
+	IPAddress string `json:"ip_address,omitempty"`
+}
+
+type KratosSession struct {
+	ID              string                `json:"id"`
+	Active          bool                  `json:"active"`
+	AuthenticatedAt time.Time             `json:"authenticated_at,omitempty"`
+	ExpiresAt       time.Time             `json:"expires_at,omitempty"`
+	IssuedAt        time.Time             `json:"issued_at,omitempty"`
+	Identity        *KratosIdentity       `json:"identity,omitempty"`
+	Devices         []KratosSessionDevice `json:"devices,omitempty"`
+}
+
 type KratosAdminService interface {
 	ListIdentities(ctx context.Context) ([]KratosIdentity, error)
 	FindIdentityIDByIdentifier(ctx context.Context, identifier string) (string, error)
@@ -245,7 +260,7 @@ func (s *kratosAdminService) CreateUser(ctx context.Context, user *domain.Broker
 	if user == nil {
 		return "", fmt.Errorf("kratos admin: user payload is nil")
 	}
-	
+
 	traits := map[string]interface{}{
 		"email": user.Email,
 		"name":  user.Name,

backend/internal/service/mock_common_test.go

@@ -116,5 +116,3 @@ func (m *MockKratosAdminServiceShared) CreateUser(ctx context.Context, user *dom
 	args := m.Called(ctx, user, password)
 	return args.String(0), args.Error(1)
 }
-
-

backend/internal/service/tenant_service_test.go

@@ -150,6 +150,7 @@ func (m *MockUserRepoForTenant) CountByTenantIDs(ctx context.Context, tenantIDs
 	}
 	return args.Get(0).(map[string]int64), args.Error(1)
 }
+
 func (m *MockUserRepoForTenant) CountByCompanyCodes(ctx context.Context, codes []string) (map[string]int64, error) {
 	args := m.Called(ctx, codes)
 	if args.Get(0) == nil {

backend/internal/utils/client_ip.go

@@ -0,0 +1,87 @@
+package utils
+
+import (
+	"net"
+	"strings"
+)
+
+// ResolveClientIP selects the best client IP from proxy headers and the remote address.
+// It prefers a public IP from X-Forwarded-For, then X-Real-IP, and finally the remote IP.
+func ResolveClientIP(forwardedFor, realIP, remoteIP string) string {
+	forwardedCandidates := splitClientIPs(forwardedFor)
+	if ip := firstPublicIP(forwardedCandidates); ip != "" {
+		return ip
+	}
+	if ip := normalizeIP(realIP); ip != "" && !IsPrivateOrReservedIP(ip) {
+		return ip
+	}
+	if ip := normalizeIP(remoteIP); ip != "" && !IsPrivateOrReservedIP(ip) {
+		return ip
+	}
+	if len(forwardedCandidates) > 0 {
+		return forwardedCandidates[0]
+	}
+	if ip := normalizeIP(realIP); ip != "" {
+		return ip
+	}
+	return normalizeIP(remoteIP)
+}
+
+// IsPrivateOrReservedIP reports whether the IP is private or from a non-public network range.
+func IsPrivateOrReservedIP(raw string) bool {
+	ip := net.ParseIP(strings.TrimSpace(raw))
+	if ip == nil {
+		return false
+	}
+	if ip.IsPrivate() || ip.IsLoopback() || ip.IsLinkLocalMulticast() || ip.IsLinkLocalUnicast() {
+		return true
+	}
+	for _, cidr := range []string{
+		"100.64.0.0/10",
+		"fc00::/7",
+	} {
+		_, network, err := net.ParseCIDR(cidr)
+		if err == nil && network.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
+
+func splitClientIPs(forwardedFor string) []string {
+	if strings.TrimSpace(forwardedFor) == "" {
+		return nil
+	}
+	parts := strings.Split(forwardedFor, ",")
+	result := make([]string, 0, len(parts))
+	for _, part := range parts {
+		if ip := normalizeIP(part); ip != "" {
+			result = append(result, ip)
+		}
+	}
+	return result
+}
+
+func firstPublicIP(candidates []string) string {
+	for _, candidate := range candidates {
+		if !IsPrivateOrReservedIP(candidate) {
+			return candidate
+		}
+	}
+	return ""
+}
+
+func normalizeIP(raw string) string {
+	raw = strings.TrimSpace(raw)
+	if raw == "" {
+		return ""
+	}
+	if host, _, err := net.SplitHostPort(raw); err == nil {
+		raw = host
+	}
+	ip := net.ParseIP(raw)
+	if ip == nil {
+		return ""
+	}
+	return ip.String()
+}

backend/internal/utils/client_ip_test.go

@@ -0,0 +1,24 @@
+package utils
+
+import "testing"
+
+func TestResolveClientIP_PrefersPublicForwardedIP(t *testing.T) {
+	got := ResolveClientIP("100.100.100.1, 203.0.113.25, 10.0.0.2", "", "172.18.0.5")
+	if got != "203.0.113.25" {
+		t.Fatalf("expected public forwarded IP, got %q", got)
+	}
+}
+
+func TestResolveClientIP_FallsBackToFirstForwardedWhenAllPrivate(t *testing.T) {
+	got := ResolveClientIP("100.100.100.1, 10.0.0.2", "192.168.0.10", "172.18.0.5")
+	if got != "100.100.100.1" {
+		t.Fatalf("expected first forwarded private IP, got %q", got)
+	}
+}
+
+func TestResolveClientIP_PrefersPublicRealIPOverPrivateForwarded(t *testing.T) {
+	got := ResolveClientIP("100.100.100.1, 10.0.0.2", "198.51.100.7", "172.18.0.5")
+	if got != "198.51.100.7" {
+		t.Fatalf("expected public real IP, got %q", got)
+	}
+}