Merge branch 'dev' into fix/rebac-env-sync-issue

backend/internal/handler/auth_handler_async_test.go

@@ -80,6 +80,7 @@ func (m *AsyncMockUserRepo) Create(ctx context.Context, user *domain.User) error
 	}
 	return args.Error(0)
 }
+
 func (m *AsyncMockUserRepo) Update(ctx context.Context, user *domain.User) error {
 	args := m.Called(ctx, user)
 	if m.createCalled != nil {
@@ -87,6 +88,7 @@ func (m *AsyncMockUserRepo) Update(ctx context.Context, user *domain.User) error
 	}
 	return args.Error(0)
 }
+
 func (m *AsyncMockUserRepo) Delete(ctx context.Context, id string) error { return nil }
 func (m *AsyncMockUserRepo) FindByEmail(ctx context.Context, email string) (*domain.User, error) {
 	return nil, nil

backend/internal/handler/auth_handler_linked_test.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 	"time"
 
@@ -45,11 +46,14 @@ func TestListLinkedRps_PriorityAndAggregation(t *testing.T) {
 				return httpJSONAny(r, http.StatusOK, []map[string]interface{}{
 					{
 						"client": map[string]interface{}{
-							"client_id":   "client-active",
-							"client_name": "Active App",
+							"client_id":   "devfront",
+							"client_name": "DevFront",
+							"redirect_uris": []string{
+								"https://active.example.com/callback",
+							},
 						},
-						"granted_scope": []string{"openid"},
-						"handled_at":    time.Now().Format(time.RFC3339),
+						"grant_scope": []string{"openid", "profile"},
+						"handled_at":  time.Now().Format(time.RFC3339),
 					},
 				}), nil
 			}
@@ -111,6 +115,8 @@ func TestListLinkedRps_PriorityAndAggregation(t *testing.T) {
 
 	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
 	t.Setenv("KRATOS_ADMIN_URL", "http://kratos.test")
+	t.Setenv("HYDRA_PUBLIC_URL", "https://sso.example.com/oidc")
+	t.Setenv("DEVFRONT_URL", "http://localhost:5174")
 
 	app := newLinkedRpTestApp(h)
 
@@ -123,10 +129,11 @@ func TestListLinkedRps_PriorityAndAggregation(t *testing.T) {
 
 	var res struct {
 		Items []struct {
-			ID     string   `json:"id"`
-			Name   string   `json:"name"`
-			Status string   `json:"status"`
-			Scopes []string `json:"scopes"`
+			ID      string   `json:"id"`
+			Name    string   `json:"name"`
+			Status  string   `json:"status"`
+			Scopes  []string `json:"scopes"`
+			InitURL string   `json:"init_url"`
 		} `json:"items"`
 	}
 	json.NewDecoder(resp.Body).Decode(&res)
@@ -138,7 +145,108 @@ func TestListLinkedRps_PriorityAndAggregation(t *testing.T) {
 		statusMap[item.ID] = item.Status
 	}
 
-	assert.Equal(t, "active", statusMap["client-active"])
+	assert.Equal(t, "active", statusMap["devfront"])
 	assert.Equal(t, "inactive", statusMap["client-consent"])
 	assert.Equal(t, "inactive", statusMap["client-audit"])
+
+	var activeInitURL string
+	for _, item := range res.Items {
+		if item.ID == "devfront" {
+			activeInitURL = item.InitURL
+			break
+		}
+	}
+
+	parsedInitURL, err := url.Parse(activeInitURL)
+	assert.NoError(t, err)
+	assert.Equal(t, "http", parsedInitURL.Scheme)
+	assert.Equal(t, "localhost:5174", parsedInitURL.Host)
+	assert.Equal(t, "/login", parsedInitURL.Path)
+	assert.Equal(t, "1", parsedInitURL.Query().Get("auto"))
+	assert.Equal(t, "/clients", parsedInitURL.Query().Get("returnTo"))
+}
+
+func TestListLinkedRps_EnrichesLogoFromHydraClientWhenConsentSessionOmitsMetadata(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		switch r.URL.Host {
+		case "kratos.test":
+			if r.URL.Path == "/sessions/whoami" {
+				return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+					"identity": map[string]interface{}{
+						"id": "user-123",
+					},
+				}), nil
+			}
+		case "hydra.test":
+			if r.URL.Path == "/oauth2/auth/sessions/consent" {
+				return httpJSONAny(r, http.StatusOK, []map[string]interface{}{
+					{
+						"client": map[string]interface{}{
+							"client_id":   "gitea-client",
+							"client_name": "Gitea",
+							"redirect_uris": []string{
+								"https://gitea.example.com/callback",
+							},
+						},
+						"grant_scope": []string{"openid", "profile"},
+						"handled_at":  time.Now().Format(time.RFC3339),
+					},
+				}), nil
+			}
+			if r.URL.Path == "/clients/gitea-client" {
+				return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+					"client_id":   "gitea-client",
+					"client_name": "Gitea",
+					"redirect_uris": []string{
+						"https://gitea.example.com/callback",
+					},
+					"metadata": map[string]interface{}{
+						"logo_url": "https://cdn.example.com/gitea.svg",
+					},
+				}), nil
+			}
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+
+	client := &http.Client{Transport: transport}
+
+	origDefault := http.DefaultClient
+	http.DefaultClient = client
+	defer func() {
+		http.DefaultClient = origDefault
+	}()
+
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+		KratosAdmin: new(MockKratosAdminService),
+	}
+
+	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
+	t.Setenv("KRATOS_ADMIN_URL", "http://kratos.test")
+	t.Setenv("HYDRA_PUBLIC_URL", "https://sso.example.com/oidc")
+
+	app := newLinkedRpTestApp(h)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/user/rp/linked", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+
+	resp, err := app.Test(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var res struct {
+		Items []struct {
+			ID   string `json:"id"`
+			Logo string `json:"logo"`
+		} `json:"items"`
+	}
+	json.NewDecoder(resp.Body).Decode(&res)
+
+	assert.Len(t, res.Items, 1)
+	assert.Equal(t, "gitea-client", res.Items[0].ID)
+	assert.Equal(t, "https://cdn.example.com/gitea.svg", res.Items[0].Logo)
 }

backend/internal/handler/auth_handler_login_test.go

@@ -7,6 +7,7 @@ package handler
 
 import (
 	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/middleware"
 	"baron-sso-backend/internal/service"
 	"bytes"
 	"context"
@@ -122,6 +123,27 @@ func (m *MockKratosAdminService) DeleteIdentity(ctx context.Context, identityID
 	return nil
 }
 
+func (m *MockKratosAdminService) ListIdentitySessions(ctx context.Context, identityID string) ([]service.KratosSession, error) {
+	args := m.Called(ctx, identityID)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).([]service.KratosSession), args.Error(1)
+}
+
+func (m *MockKratosAdminService) GetSession(ctx context.Context, sessionID string) (*service.KratosSession, error) {
+	args := m.Called(ctx, sessionID)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(*service.KratosSession), args.Error(1)
+}
+
+func (m *MockKratosAdminService) DeleteSession(ctx context.Context, sessionID string) error {
+	args := m.Called(ctx, sessionID)
+	return args.Error(0)
+}
+
 // --- Helper ---
 
 func newAuthLoginTestApp(h *AuthHandler) *fiber.App {
@@ -616,6 +638,156 @@ func TestPasswordLogin_OIDC_Success(t *testing.T) {
 	}
 }
 
+func TestPasswordLogin_OIDC_AuditIncludesClientMetadata(t *testing.T) {
+	mockIdp := new(MockIdentityProvider)
+	mockIdp.On("SignIn", "user@example.com", "password").Return(&domain.AuthInfo{
+		SessionToken: &domain.Token{JWT: "valid-jwt", SessionID: "session-123"},
+		Subject:      "kratos-identity-id",
+	}, nil)
+
+	hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch {
+		case strings.Contains(r.URL.Path, "/oauth2/auth/requests/login") && r.Method == http.MethodGet:
+			json.NewEncoder(w).Encode(domain.HydraLoginRequest{
+				Challenge: "challenge-123",
+				Client: domain.HydraClient{
+					ClientID:   "devfront",
+					ClientName: "DevFront",
+					Metadata:   map[string]interface{}{"status": "active"},
+				},
+			})
+		case strings.Contains(r.URL.Path, "/oauth2/auth/requests/login/accept") && r.Method == http.MethodPut:
+			json.NewEncoder(w).Encode(map[string]string{"redirect_to": "http://rp/cb"})
+		default:
+			http.NotFound(w, r)
+		}
+	})
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("FindIdentityIDByIdentifier", mock.Anything, "user@example.com").Return("kratos-identity-id", nil)
+
+	auditRepo := &mockAuditRepo{}
+	h := &AuthHandler{
+		IdpProvider: mockIdp,
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: mockHydraTransport(hydraHandler)},
+		},
+	}
+
+	app := fiber.New()
+	app.Use(middleware.AuditMiddleware(middleware.AuditConfig{
+		Repo:     auditRepo,
+		BodyDump: true,
+	}))
+	app.Post("/api/v1/auth/password/login", h.PasswordLogin)
+
+	body, _ := json.Marshal(map[string]string{
+		"loginId":         "user@example.com",
+		"password":        "password",
+		"login_challenge": "challenge-123",
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/password/login", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		t.Fatalf("expected 200, got %d, body: %s", resp.StatusCode, string(bodyBytes))
+	}
+
+	if len(auditRepo.logs) != 1 {
+		t.Fatalf("expected 1 audit log, got %d", len(auditRepo.logs))
+	}
+
+	log := auditRepo.logs[0]
+	if log.EventType != "POST /api/v1/auth/password/login" {
+		t.Fatalf("expected password login audit event, got %q", log.EventType)
+	}
+	if log.UserID != "kratos-identity-id" {
+		t.Fatalf("expected audit user_id kratos-identity-id, got %q", log.UserID)
+	}
+
+	details, err := parseAuditDetails(log.Details)
+	if err != nil {
+		t.Fatalf("failed to parse audit details: %v", err)
+	}
+	if got, _ := details["client_id"].(string); got != "devfront" {
+		t.Fatalf("expected client_id devfront, got %v", details["client_id"])
+	}
+	if got, _ := details["client_name"].(string); got != "DevFront" {
+		t.Fatalf("expected client_name DevFront, got %v", details["client_name"])
+	}
+}
+
+func TestPasswordLogin_UserFront_AuditIncludesDefaultClientMetadata(t *testing.T) {
+	mockIdp := new(MockIdentityProvider)
+	mockIdp.On("SignIn", "user@example.com", "password").Return(&domain.AuthInfo{
+		SessionToken: &domain.Token{JWT: "valid-jwt", SessionID: "session-123"},
+		Subject:      "kratos-identity-id",
+	}, nil)
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("FindIdentityIDByIdentifier", mock.Anything, "user@example.com").Return("kratos-identity-id", nil)
+
+	auditRepo := &mockAuditRepo{}
+	h := &AuthHandler{
+		IdpProvider: mockIdp,
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+	}
+
+	app := fiber.New()
+	app.Use(middleware.AuditMiddleware(middleware.AuditConfig{
+		Repo:     auditRepo,
+		BodyDump: true,
+	}))
+	app.Post("/api/v1/auth/password/login", h.PasswordLogin)
+
+	body, _ := json.Marshal(map[string]string{
+		"loginId":  "user@example.com",
+		"password": "password",
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/password/login", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		t.Fatalf("expected 200, got %d, body: %s", resp.StatusCode, string(bodyBytes))
+	}
+
+	if len(auditRepo.logs) != 1 {
+		t.Fatalf("expected 1 audit log, got %d", len(auditRepo.logs))
+	}
+	if auditRepo.logs[0].UserID != "kratos-identity-id" {
+		t.Fatalf("expected audit user_id kratos-identity-id, got %q", auditRepo.logs[0].UserID)
+	}
+
+	details, err := parseAuditDetails(auditRepo.logs[0].Details)
+	if err != nil {
+		t.Fatalf("failed to parse audit details: %v", err)
+	}
+	if got, _ := details["client_id"].(string); got != "userfront" {
+		t.Fatalf("expected client_id userfront, got %v", details["client_id"])
+	}
+	if got, _ := details["client_name"].(string); got != "UserFront" {
+		t.Fatalf("expected client_name UserFront, got %v", details["client_name"])
+	}
+}
+
 func TestHeadlessPasswordLogin_HeadlessLoginClientSuccess(t *testing.T) {
 	mockIdp := new(MockIdentityProvider)
 	mockIdp.On("SignIn", "employee001", "password").Return(&domain.AuthInfo{

backend/internal/handler/auth_handler_sessions_test.go

@@ -0,0 +1,685 @@
+package handler
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/service"
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+func TestListMySessions_Success(t *testing.T) {
+	now := time.Date(2026, 4, 2, 1, 2, 3, 0, time.UTC)
+	setDefaultHTTPClientForTest(t, roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/sessions/whoami" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id":               "current-sid",
+				"authenticated_at": now.Format(time.RFC3339),
+				"identity": map[string]any{
+					"id": "user-123",
+					"traits": map[string]any{
+						"email": "user@example.com",
+						"name":  "User",
+						"role":  "user",
+					},
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	}))
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{
+			ID:              "current-sid",
+			Active:          true,
+			AuthenticatedAt: now,
+			ExpiresAt:       now.Add(24 * time.Hour),
+		},
+		{
+			ID:              "other-sid",
+			Active:          true,
+			AuthenticatedAt: now.Add(-2 * time.Hour),
+			ExpiresAt:       now.Add(22 * time.Hour),
+		},
+	}, nil).Once()
+
+	auditRepo := &mockAuditRepo{
+		logs: []domain.AuditLog{
+			{
+				UserID:    "user-123",
+				EventType: "login_success",
+				SessionID: "other-sid",
+				Timestamp: now.Add(-30 * time.Minute),
+				IPAddress: "203.0.113.10",
+				UserAgent: "Mozilla/5.0",
+			},
+		},
+	}
+
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+	}
+
+	app := fiber.New()
+	app.Get("/api/v1/user/sessions", h.ListMySessions)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/user/sessions", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body struct {
+		Items []struct {
+			SessionID string `json:"session_id"`
+			IsCurrent bool   `json:"is_current"`
+			IsActive  bool   `json:"is_active"`
+			IPAddress string `json:"ip_address"`
+			UserAgent string `json:"user_agent"`
+		} `json:"items"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&body)
+	assert.NoError(t, err)
+	if assert.Len(t, body.Items, 2) {
+		assert.Equal(t, "current-sid", body.Items[0].SessionID)
+		assert.True(t, body.Items[0].IsCurrent)
+		assert.Equal(t, "other-sid", body.Items[1].SessionID)
+		assert.True(t, body.Items[1].IsActive)
+		assert.Equal(t, "203.0.113.10", body.Items[1].IPAddress)
+		assert.Equal(t, "Mozilla/5.0", body.Items[1].UserAgent)
+	}
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestListMySessions_UsesConsentGrantForAppName(t *testing.T) {
+	now := time.Date(2026, 4, 2, 4, 40, 0, 0, time.UTC)
+	setDefaultHTTPClientForTest(t, roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/sessions/whoami" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id":               "current-sid",
+				"authenticated_at": now.Format(time.RFC3339),
+				"identity": map[string]any{
+					"id": "user-123",
+					"traits": map[string]any{
+						"email": "user@example.com",
+						"name":  "User",
+						"role":  "user",
+					},
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	}))
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{
+			ID:              "current-sid",
+			Active:          true,
+			AuthenticatedAt: now,
+			ExpiresAt:       now.Add(24 * time.Hour),
+		},
+		{
+			ID:              "c7c721ea-session",
+			Active:          true,
+			AuthenticatedAt: now.Add(-5 * time.Minute),
+			ExpiresAt:       now.Add(23*time.Hour + 55*time.Minute),
+		},
+	}, nil).Once()
+
+	auditRepo := &mockAuditRepo{
+		logs: []domain.AuditLog{
+			{
+				UserID:    "user-123",
+				EventType: "consent.granted",
+				SessionID: "c7c721ea-session",
+				Timestamp: now,
+				Details:   `{"client_id":"devfront","client_name":"DevFront","session_id":"c7c721ea-session","approved_session_id":"c7c721ea-session"}`,
+			},
+		},
+	}
+
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+	}
+
+	app := fiber.New()
+	app.Get("/api/v1/user/sessions", h.ListMySessions)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/user/sessions", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body struct {
+		Items []struct {
+			SessionID string `json:"session_id"`
+			AppName   string `json:"app_name"`
+			ClientID  string `json:"client_id"`
+		} `json:"items"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&body)
+	assert.NoError(t, err)
+	if assert.Len(t, body.Items, 2) {
+		assert.Equal(t, "c7c721ea-session", body.Items[1].SessionID)
+		assert.Equal(t, "DevFront", body.Items[1].AppName)
+		assert.Equal(t, "devfront", body.Items[1].ClientID)
+	}
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestListMySessions_PreservesAppNameFromOlderConsentGrant(t *testing.T) {
+	now := time.Date(2026, 4, 2, 4, 40, 0, 0, time.UTC)
+	setDefaultHTTPClientForTest(t, roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/sessions/whoami" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id":               "current-sid",
+				"authenticated_at": now.Format(time.RFC3339),
+				"identity": map[string]any{
+					"id": "user-123",
+					"traits": map[string]any{
+						"email": "user@example.com",
+						"name":  "User",
+						"role":  "user",
+					},
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	}))
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{
+			ID:              "current-sid",
+			Active:          true,
+			AuthenticatedAt: now,
+			ExpiresAt:       now.Add(24 * time.Hour),
+		},
+		{
+			ID:              "c7c721ea-session",
+			Active:          true,
+			AuthenticatedAt: now.Add(-5 * time.Minute),
+			ExpiresAt:       now.Add(23*time.Hour + 55*time.Minute),
+		},
+	}, nil).Once()
+
+	auditRepo := &mockAuditRepo{
+		logs: []domain.AuditLog{
+			{
+				UserID:    "user-123",
+				EventType: "consent.granted",
+				SessionID: "c7c721ea-session",
+				Timestamp: now.Add(-30 * time.Second),
+				IPAddress: "203.0.113.10",
+				Details:   `{"client_id":"devfront","client_name":"DevFront","session_id":"c7c721ea-session"}`,
+			},
+			{
+				UserID:    "user-123",
+				EventType: "login_success",
+				SessionID: "c7c721ea-session",
+				Timestamp: now,
+				IPAddress: "10.0.0.12",
+				UserAgent: "Mozilla/5.0",
+			},
+		},
+	}
+
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+	}
+
+	app := fiber.New()
+	app.Get("/api/v1/user/sessions", h.ListMySessions)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/user/sessions", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body struct {
+		Items []struct {
+			SessionID string `json:"session_id"`
+			AppName   string `json:"app_name"`
+			ClientID  string `json:"client_id"`
+			IPAddress string `json:"ip_address"`
+		} `json:"items"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&body)
+	assert.NoError(t, err)
+	if assert.Len(t, body.Items, 2) {
+		assert.Equal(t, "c7c721ea-session", body.Items[1].SessionID)
+		assert.Equal(t, "DevFront", body.Items[1].AppName)
+		assert.Equal(t, "devfront", body.Items[1].ClientID)
+		assert.Equal(t, "203.0.113.10", body.Items[1].IPAddress)
+	}
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestListMySessions_CurrentSessionFallsBackToRequestMetadata(t *testing.T) {
+	now := time.Date(2026, 4, 6, 1, 2, 3, 0, time.UTC)
+	setDefaultHTTPClientForTest(t, roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/sessions/whoami" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id":               "current-sid",
+				"authenticated_at": now.Format(time.RFC3339),
+				"identity": map[string]any{
+					"id": "user-123",
+					"traits": map[string]any{
+						"email": "user@example.com",
+						"name":  "User",
+						"role":  "user",
+					},
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	}))
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{
+			ID:              "current-sid",
+			Active:          true,
+			AuthenticatedAt: now,
+			ExpiresAt:       now.Add(24 * time.Hour),
+		},
+	}, nil).Once()
+
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   &mockAuditRepo{},
+	}
+
+	app := fiber.New()
+	app.Get("/api/v1/user/sessions", h.ListMySessions)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/user/sessions", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+	req.Header.Set("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/146.0.0.0 Safari/537.36")
+	req.Header.Set("X-Forwarded-For", "100.100.100.1, 203.0.113.25")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body struct {
+		Items []struct {
+			SessionID string `json:"session_id"`
+			IsCurrent bool   `json:"is_current"`
+			IPAddress string `json:"ip_address"`
+			UserAgent string `json:"user_agent"`
+			ClientID  string `json:"client_id"`
+			AppName   string `json:"app_name"`
+		} `json:"items"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&body)
+	assert.NoError(t, err)
+	if assert.Len(t, body.Items, 1) {
+		assert.Equal(t, "current-sid", body.Items[0].SessionID)
+		assert.True(t, body.Items[0].IsCurrent)
+		assert.Equal(t, "203.0.113.25", body.Items[0].IPAddress)
+		assert.Contains(t, body.Items[0].UserAgent, "Mozilla/5.0")
+		assert.Equal(t, "userfront", body.Items[0].ClientID)
+		assert.Equal(t, "UserFront", body.Items[0].AppName)
+	}
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestDeleteMySession_Success(t *testing.T) {
+	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
+	var hydraRevokeCalls int
+	client := &http.Client{Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		switch r.URL.Host {
+		case "kratos.test":
+			if r.URL.Path == "/sessions/whoami" {
+				return httpJSONAny(r, http.StatusOK, map[string]any{
+					"id":               "current-sid",
+					"authenticated_at": time.Now().UTC().Format(time.RFC3339),
+					"identity": map[string]any{
+						"id": "user-123",
+						"traits": map[string]any{
+							"email": "user@example.com",
+							"name":  "User",
+							"role":  "user",
+						},
+					},
+				}), nil
+			}
+		case "hydra.test":
+			if r.Method == http.MethodDelete && r.URL.Path == "/oauth2/auth/sessions/consent" {
+				if r.URL.Query().Get("subject") != "user-123" {
+					t.Fatalf("unexpected revoke subject: %s", r.URL.Query().Get("subject"))
+				}
+				if r.URL.Query().Get("client") != "devfront" {
+					t.Fatalf("unexpected revoke client: %s", r.URL.Query().Get("client"))
+				}
+				hydraRevokeCalls++
+				return httpResponse(r, http.StatusNoContent, ""), nil
+			}
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})}
+	setDefaultHTTPClientForTest(t, client.Transport)
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{ID: "target-sid", Active: true},
+	}, nil).Once()
+	mockKratos.On("GetSession", mock.Anything, "target-sid").Return(&service.KratosSession{
+		ID:     "target-sid",
+		Active: true,
+	}, nil).Once()
+	mockKratos.On("DeleteSession", mock.Anything, "target-sid").Return(nil).Once()
+
+	auditRepo := &mockAuditRepo{}
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+	}
+	auditRepo.logs = append(auditRepo.logs, domain.AuditLog{
+		UserID:    "user-123",
+		EventType: "POST /api/v1/auth/oidc/login/accept",
+		SessionID: "target-sid",
+		Details:   `{"client_id":"devfront","client_name":"Devfront"}`,
+	})
+
+	app := fiber.New()
+	app.Delete("/api/v1/user/sessions/:id", h.DeleteMySession)
+
+	req := httptest.NewRequest(http.MethodDelete, "/api/v1/user/sessions/target-sid", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+	req.Header.Set("User-Agent", "session-test-agent")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	if assert.Len(t, auditRepo.logs, 2) {
+		assert.Equal(t, "session.revoked", auditRepo.logs[len(auditRepo.logs)-1].EventType)
+		assert.Equal(t, "user-123", auditRepo.logs[len(auditRepo.logs)-1].UserID)
+		assert.Equal(t, "current-sid", auditRepo.logs[len(auditRepo.logs)-1].SessionID)
+		assert.Contains(t, auditRepo.logs[len(auditRepo.logs)-1].Details, "target-sid")
+	}
+	assert.Equal(t, 1, hydraRevokeCalls)
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestDeleteMySession_DoesNotRevokeAllHydraSessionsWhenClientBindingMissing(t *testing.T) {
+	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
+	var hydraRevokeCalls int
+	client := &http.Client{Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		switch r.URL.Host {
+		case "kratos.test":
+			if r.URL.Path == "/sessions/whoami" {
+				return httpJSONAny(r, http.StatusOK, map[string]any{
+					"id":               "current-sid",
+					"authenticated_at": time.Now().UTC().Format(time.RFC3339),
+					"identity": map[string]any{
+						"id": "user-123",
+						"traits": map[string]any{
+							"email": "user@example.com",
+							"name":  "User",
+							"role":  "user",
+						},
+					},
+				}), nil
+			}
+		case "hydra.test":
+			if r.Method == http.MethodDelete && r.URL.Path == "/oauth2/auth/sessions/consent" {
+				hydraRevokeCalls++
+				return httpResponse(r, http.StatusNoContent, ""), nil
+			}
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})}
+	setDefaultHTTPClientForTest(t, client.Transport)
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{ID: "target-sid", Active: true},
+	}, nil).Once()
+	mockKratos.On("GetSession", mock.Anything, "target-sid").Return(&service.KratosSession{
+		ID:     "target-sid",
+		Active: true,
+	}, nil).Once()
+	mockKratos.On("DeleteSession", mock.Anything, "target-sid").Return(nil).Once()
+
+	auditRepo := &mockAuditRepo{}
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+	}
+
+	app := fiber.New()
+	app.Delete("/api/v1/user/sessions/:id", h.DeleteMySession)
+
+	req := httptest.NewRequest(http.MethodDelete, "/api/v1/user/sessions/target-sid", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+	req.Header.Set("User-Agent", "session-test-agent")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.Equal(t, 0, hydraRevokeCalls)
+	if assert.Len(t, auditRepo.logs, 1) {
+		assert.Equal(t, "session.revoked", auditRepo.logs[0].EventType)
+		assert.Equal(t, "user-123", auditRepo.logs[0].UserID)
+		assert.Contains(t, auditRepo.logs[0].Details, "target-sid")
+	}
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestDeleteMySession_RevokesHydraClientBoundFromPasswordLoginAudit(t *testing.T) {
+	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
+	var hydraRevokeCalls int
+	var revokedClient string
+	client := &http.Client{Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		switch r.URL.Host {
+		case "kratos.test":
+			if r.URL.Path == "/sessions/whoami" {
+				return httpJSONAny(r, http.StatusOK, map[string]any{
+					"id":               "current-sid",
+					"authenticated_at": time.Now().UTC().Format(time.RFC3339),
+					"identity": map[string]any{
+						"id": "user-123",
+						"traits": map[string]any{
+							"email": "user@example.com",
+							"name":  "User",
+							"role":  "user",
+						},
+					},
+				}), nil
+			}
+		case "hydra.test":
+			if r.Method == http.MethodDelete && r.URL.Path == "/oauth2/auth/sessions/consent" {
+				revokedClient = r.URL.Query().Get("client")
+				hydraRevokeCalls++
+				return httpResponse(r, http.StatusNoContent, ""), nil
+			}
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})}
+	setDefaultHTTPClientForTest(t, client.Transport)
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("ListIdentitySessions", mock.Anything, "user-123").Return([]service.KratosSession{
+		{ID: "target-sid", Active: true},
+	}, nil).Once()
+	mockKratos.On("GetSession", mock.Anything, "target-sid").Return(&service.KratosSession{
+		ID:     "target-sid",
+		Active: true,
+	}, nil).Once()
+	mockKratos.On("DeleteSession", mock.Anything, "target-sid").Return(nil).Once()
+
+	auditRepo := &mockAuditRepo{}
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		AuditRepo:   auditRepo,
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+	}
+	auditRepo.logs = append(auditRepo.logs, domain.AuditLog{
+		UserID:    "user-123",
+		EventType: "POST /api/v1/auth/password/login",
+		SessionID: "target-sid",
+		Details:   `{"client_id":"adminfront","client_name":"AdminFront","session_id":"target-sid"}`,
+	})
+
+	app := fiber.New()
+	app.Delete("/api/v1/user/sessions/:id", h.DeleteMySession)
+
+	req := httptest.NewRequest(http.MethodDelete, "/api/v1/user/sessions/target-sid", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+	req.Header.Set("User-Agent", "session-test-agent")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.Equal(t, 1, hydraRevokeCalls)
+	assert.Equal(t, "adminfront", revokedClient)
+
+	mockKratos.AssertExpectations(t)
+}
+
+func TestGetHydraProfile_RejectsInactiveLinkedSession(t *testing.T) {
+	client := &http.Client{Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Host == "hydra.test" && r.URL.Path == "/oauth2/introspect" {
+			body, _ := io.ReadAll(r.Body)
+			if string(body) != "token=opaque-token" {
+				t.Fatalf("unexpected introspect body: %s", string(body))
+			}
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"active":    true,
+				"sub":       "user-123",
+				"client_id": "devfront",
+				"ext": map[string]any{
+					"session_id": "target-sid",
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})}
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("GetSession", mock.Anything, "target-sid").Return(&service.KratosSession{
+		ID:     "target-sid",
+		Active: false,
+		Identity: &service.KratosIdentity{
+			ID: "user-123",
+		},
+	}, nil).Once()
+
+	h := &AuthHandler{
+		KratosAdmin: mockKratos,
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+	}
+
+	profile, err := h.getHydraProfile(context.Background(), "opaque-token")
+	assert.Nil(t, profile)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "inactive")
+	mockKratos.AssertExpectations(t)
+}
+
+func TestGetAuthTimeline_FillsSessionIDFromOathkeeperRaw(t *testing.T) {
+	now := time.Date(2026, 4, 7, 4, 39, 0, 0, time.UTC)
+	setDefaultHTTPClientForTest(t, roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/sessions/whoami" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id":               "current-sid",
+				"authenticated_at": now.Format(time.RFC3339),
+				"identity": map[string]any{
+					"id": "user-123",
+					"traits": map[string]any{
+						"email": "user@example.com",
+						"name":  "User",
+						"role":  "user",
+					},
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	}))
+
+	h := &AuthHandler{
+		AuditRepo: &mockAuditRepo{},
+		OathkeeperRepo: &mockOathkeeperRepo{
+			logs: []domain.OathkeeperAccessLog{
+				{
+					Timestamp: now,
+					RequestID: "req-1",
+					Method:    http.MethodGet,
+					Path:      "/api/v1/dev/sessions",
+					Status:    http.StatusOK,
+					Subject:   "user-123",
+					ClientIP:  "203.0.113.7",
+					UserAgent: "Mozilla/5.0",
+					Raw:       `{"request":{"url":"https://devfront.example.com/callback?client_id=devfront"},"extra":{"session_id":"target-sid"}}`,
+				},
+			},
+		},
+	}
+
+	app := fiber.New()
+	app.Get("/api/v1/audit/auth/timeline", h.GetAuthTimeline)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/audit/auth/timeline", nil)
+	req.Header.Set("Cookie", "ory_kratos_session=valid")
+
+	resp, err := app.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body struct {
+		Items []struct {
+			SessionID string `json:"session_id"`
+			ClientID  string `json:"client_id"`
+			AppName   string `json:"app_name"`
+			Source    string `json:"source"`
+		} `json:"items"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&body)
+	assert.NoError(t, err)
+	if assert.Len(t, body.Items, 1) {
+		assert.Equal(t, "target-sid", body.Items[0].SessionID)
+		assert.Equal(t, "devfront", body.Items[0].ClientID)
+		assert.Equal(t, "devfront", body.Items[0].AppName)
+		assert.Equal(t, "oathkeeper", body.Items[0].Source)
+	}
+}

backend/internal/handler/common_test.go

@@ -115,6 +115,25 @@ func (m *mockAuditRepo) CountActiveSessionsSince(ctx context.Context, since time
 
 func (m *mockAuditRepo) Ping(ctx context.Context) error { return nil }
 
+type mockOathkeeperRepo struct {
+	logs []domain.OathkeeperAccessLog
+}
+
+func (m *mockOathkeeperRepo) FindPageBySubject(ctx context.Context, subject string, limit int, cursor *domain.AuditCursor) ([]domain.OathkeeperAccessLog, error) {
+	if subject == "" {
+		return m.logs, nil
+	}
+	results := make([]domain.OathkeeperAccessLog, 0, len(m.logs))
+	for _, log := range m.logs {
+		if log.Subject == subject {
+			results = append(results, log)
+		}
+	}
+	return results, nil
+}
+
+func (m *mockOathkeeperRepo) Ping(ctx context.Context) error { return nil }
+
 // --- Mock Consent Repository ---
 
 type mockConsentRepo struct {

backend/internal/handler/user_handler_test.go

@@ -56,6 +56,26 @@ func (m *MockKratosAdmin) DeleteIdentity(ctx context.Context, id string) error {
 	return m.Called(ctx, id).Error(0)
 }
 
+func (m *MockKratosAdmin) ListIdentitySessions(ctx context.Context, identityID string) ([]service.KratosSession, error) {
+	args := m.Called(ctx, identityID)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).([]service.KratosSession), args.Error(1)
+}
+
+func (m *MockKratosAdmin) GetSession(ctx context.Context, sessionID string) (*service.KratosSession, error) {
+	args := m.Called(ctx, sessionID)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(*service.KratosSession), args.Error(1)
+}
+
+func (m *MockKratosAdmin) DeleteSession(ctx context.Context, sessionID string) error {
+	return m.Called(ctx, sessionID).Error(0)
+}
+
 type MockOryProvider struct {
 	mock.Mock
 }