version 0.0.24

backend/src/routes/auth.js

@@ -2,7 +2,7 @@ const express = require('express');
 const bcrypt = require('bcryptjs');
 const router = express.Router();
 const { getDb, getOrCreateSupportGroup } = require('../models/db');
-const { generateToken, authMiddleware } = require('../middleware/auth');
+const { generateToken, authMiddleware, setActiveSession, clearActiveSession } = require('../middleware/auth');
 
 // Login
 router.post('/login', (req, res) => {
@@ -25,6 +25,8 @@ router.post('/login', (req, res) => {
   if (!valid) return res.status(401).json({ error: 'Invalid credentials' });
 
   const token = generateToken(user.id);
+  const ua = req.headers['user-agent'] || '';
+  const device = setActiveSession(user.id, token, ua); // displaces prior session on same device class
 
   const { password: _, ...userSafe } = user;
   res.json({ 
@@ -58,8 +60,9 @@ router.get('/me', authMiddleware, (req, res) => {
   res.json({ user });
 });
 
-// Logout (client-side token removal, but we can track it)
+// Logout — clear active session for this device class only
 router.post('/logout', authMiddleware, (req, res) => {
+  clearActiveSession(req.user.id, req.device);
   res.json({ success: true });
 });