feat: Implement CLI session management

- Add functionality to list, revoke, and manage CLI sessions.
- Introduce new  subcommand in the CLI for session actions.
- Update authentication flow to support session management.
- Modify device flow and token refresh endpoints for improved session handling.
- Enhance error handling and user prompts for session actions.

Author: bulpara

install.sh

@@ -59,7 +59,7 @@ impl AuthClient {
     }
 
     pub async fn refresh_token(&self, request: RefreshRequest) -> Result<RefreshResponse> {
-        let url = format!("{}/auth/refresh", self.base_url);
+        let url = format!("{}/auth/cli/refresh", self.base_url);
 
         let response = self
             .client

src/auth/client.rs

@@ -11,8 +11,8 @@ use reqwest::Client;
 
 #[derive(Debug, Serialize)]
 pub struct DeviceFlowRequest {
-    pub client_id: String,
-    pub scope: String,
+    pub client_id: Option<String>,
+    pub scopes: Option<Vec<String>>,
 }
 
 #[derive(Debug, Deserialize)]
@@ -37,7 +37,7 @@ pub struct DeviceTokenResponse {
     pub refresh_token: String,
     pub token_type: String,
     pub expires_in: i64,
-    pub scope: String,
+    pub scope: Vec<String>,
 }
 
 #[derive(Debug, Deserialize)]
@@ -120,11 +120,18 @@ impl DeviceAuth {
 
     async fn initiate_device_flow(&self) -> Result<DeviceFlowResponse> {
         let request = DeviceFlowRequest {
-            client_id: "kanuni-cli".to_string(),
-            scope: "full_access".to_string(),
+            client_id: Some("kanuni-cli".to_string()),
+            scopes: Some(vec![
+                "read_documents".to_string(),
+                "write_documents".to_string(),
+                "read_cases".to_string(),
+                "write_cases".to_string(),
+                "read_chat".to_string(),
+                "write_chat".to_string(),
+            ]),
         };
 
-        let url = format!("{}/api/v1/auth/device/code", self.base_url);
+        let url = format!("{}/auth/device/code", self.base_url);
         let response = self
             .client
             .post(&url)
@@ -154,7 +161,7 @@ impl DeviceAuth {
                 client_id: "kanuni-cli".to_string(),
             };
 
-            let url = format!("{}/api/v1/auth/device/token", self.base_url);
+            let url = format!("{}/auth/device/token", self.base_url);
             let response = self.client.post(&url).json(&request).send().await?;
 
             if response.status().is_success() {

src/auth/device_flow.rs

@@ -2,6 +2,7 @@ pub mod api_key;
 pub mod client;
 pub mod device_flow;
 pub mod models;
+pub mod sessions;
 pub mod token_store;
 
 use anyhow::{Context, Result};
@@ -13,7 +14,8 @@ use self::{
     api_key::ApiKeyManager,
     client::AuthClient,
     device_flow::DeviceAuth,
-    models::{AuthTokens, RefreshRequest, UserInfo},
+    models::{RefreshRequest, CliSessionResponse},
+    sessions::SessionsClient,
     token_store::{AuthType, StoredCredentials, TokenStore},
 };
 use crate::config::Config;
@@ -219,4 +221,33 @@ impl AuthManager {
             Ok("Not authenticated".to_string())
         }
     }
+
+    /// List all CLI sessions
+    pub async fn list_sessions(&self) -> Result<Vec<CliSessionResponse>> {
+        let access_token = self.get_access_token().await?;
+        let config = self.config.read().await;
+        let client = SessionsClient::new(config.api_endpoint.clone());
+        client.list_sessions(&access_token).await
+    }
+
+    /// Revoke a specific CLI session
+    pub async fn revoke_session(&self, session_id: &str) -> Result<()> {
+        let access_token = self.get_access_token().await?;
+        let config = self.config.read().await;
+        let client = SessionsClient::new(config.api_endpoint.clone());
+        client.revoke_session(&access_token, session_id).await
+    }
+
+    /// Revoke all CLI sessions
+    pub async fn revoke_all_sessions(&self) -> Result<()> {
+        let access_token = self.get_access_token().await?;
+        let config = self.config.read().await;
+        let client = SessionsClient::new(config.api_endpoint.clone());
+        client.revoke_all_sessions(&access_token).await?;
+
+        // After revoking all sessions, we need to logout locally as well
+        self.logout().await?;
+
+        Ok(())
+    }
 }

src/auth/mod.rs

@@ -55,3 +55,24 @@ pub struct ErrorResponse {
     pub error: String,
     pub message: String,
 }
+
+// CLI Session Management Models
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct CliSessionResponse {
+    pub id: String,  // Using String for UUID compatibility
+    pub device_name: Option<String>,
+    pub platform: Option<String>,
+    pub hostname: Option<String>,
+    pub ip_address: Option<String>,
+    pub last_used_at: DateTime<Utc>,
+    pub scopes: Vec<String>,
+    pub is_current: bool,
+    pub is_active: bool,
+    pub created_at: DateTime<Utc>,
+}
+
+#[derive(Debug, Serialize)]
+pub struct RevokeSessionRequest {
+    pub reason: Option<String>,
+}

src/auth/models.rs

@@ -0,0 +1,201 @@
+use anyhow::Result;
+use reqwest::{Client, StatusCode};
+use colored::*;
+use chrono::{DateTime, Utc};
+
+use super::models::{CliSessionResponse, RevokeSessionRequest, ErrorResponse};
+
+pub struct SessionsClient {
+    client: Client,
+    base_url: String,
+}
+
+impl SessionsClient {
+    pub fn new(base_url: String) -> Self {
+        let client = Client::builder()
+            .timeout(std::time::Duration::from_secs(30))
+            .build()
+            .expect("Failed to create HTTP client");
+
+        Self { client, base_url }
+    }
+
+    /// List all CLI sessions
+    pub async fn list_sessions(&self, access_token: &str) -> Result<Vec<CliSessionResponse>> {
+        let url = format!("{}/auth/cli/sessions", self.base_url);
+
+        let response = self
+            .client
+            .get(&url)
+            .header("Authorization", format!("Bearer {}", access_token))
+            .send()
+            .await?;
+
+        match response.status() {
+            StatusCode::OK => {
+                let sessions = response
+                    .json::<Vec<CliSessionResponse>>()
+                    .await?;
+                Ok(sessions)
+            }
+            StatusCode::UNAUTHORIZED => {
+                anyhow::bail!("Authentication token expired. Please login again.")
+            }
+            status => {
+                if let Ok(error) = response.json::<ErrorResponse>().await {
+                    anyhow::bail!("{}: {}", status, error.message)
+                } else {
+                    anyhow::bail!("Failed to list sessions with status: {}", status)
+                }
+            }
+        }
+    }
+
+    /// Revoke a specific CLI session
+    pub async fn revoke_session(&self, access_token: &str, session_id: &str) -> Result<()> {
+        let url = format!("{}/auth/cli/sessions/{}", self.base_url, session_id);
+
+        let request = RevokeSessionRequest {
+            reason: Some("User revoked from CLI".to_string()),
+        };
+
+        let response = self
+            .client
+            .delete(&url)
+            .header("Authorization", format!("Bearer {}", access_token))
+            .json(&request)
+            .send()
+            .await?;
+
+        match response.status() {
+            StatusCode::OK => Ok(()),
+            StatusCode::NOT_FOUND => {
+                anyhow::bail!("Session not found or already revoked")
+            }
+            StatusCode::UNAUTHORIZED => {
+                anyhow::bail!("Authentication token expired. Please login again.")
+            }
+            status => {
+                if let Ok(error) = response.json::<ErrorResponse>().await {
+                    anyhow::bail!("{}: {}", status, error.message)
+                } else {
+                    anyhow::bail!("Failed to revoke session with status: {}", status)
+                }
+            }
+        }
+    }
+
+    /// Revoke all CLI sessions
+    pub async fn revoke_all_sessions(&self, access_token: &str) -> Result<()> {
+        let url = format!("{}/auth/cli/sessions/revoke-all", self.base_url);
+
+        let response = self
+            .client
+            .post(&url)
+            .header("Authorization", format!("Bearer {}", access_token))
+            .send()
+            .await?;
+
+        match response.status() {
+            StatusCode::OK => Ok(()),
+            StatusCode::UNAUTHORIZED => {
+                anyhow::bail!("Authentication token expired. Please login again.")
+            }
+            status => {
+                if let Ok(error) = response.json::<ErrorResponse>().await {
+                    anyhow::bail!("{}: {}", status, error.message)
+                } else {
+                    anyhow::bail!("Failed to revoke all sessions with status: {}", status)
+                }
+            }
+        }
+    }
+}
+
+// Helper functions for formatting sessions
+
+pub fn format_session_display(sessions: &[CliSessionResponse]) {
+    if sessions.is_empty() {
+        println!("{}  No active CLI sessions found", "ℹ".blue());
+        return;
+    }
+
+    println!("\n{}  Active CLI Sessions\n", "🔐".green());
+
+    // Header
+    println!(
+        "{:<12} {:<20} {:<15} {:<20} {:<15} {}",
+        "ID".bold(),
+        "Device".bold(),
+        "Platform".bold(),
+        "Hostname".bold(),
+        "Last Active".bold(),
+        "Status".bold()
+    );
+
+    println!("{}", "─".repeat(100));
+
+    for session in sessions {
+        let id_short = &session.id[..8.min(session.id.len())];
+        let device_name = session.device_name.as_deref().unwrap_or("Unknown");
+        let platform = format_platform(session.platform.as_deref());
+        let hostname = session.hostname.as_deref().unwrap_or("-");
+        let last_active = format_relative_time(&session.last_used_at);
+
+        let status = if session.is_current {
+            "CURRENT".green().bold()
+        } else if session.is_active {
+            "Active".green()
+        } else {
+            "Inactive".red()
+        };
+
+        println!(
+            "{:<12} {:<20} {:<15} {:<20} {:<15} {}",
+            id_short,
+            truncate_string(device_name, 20),
+            platform,
+            truncate_string(hostname, 20),
+            last_active,
+            status
+        );
+    }
+
+    println!("\n{}  Total: {} active session(s)", "📊".blue(), sessions.len());
+}
+
+fn format_platform(platform: Option<&str>) -> String {
+    match platform {
+        Some(p) if p.to_lowercase().contains("darwin") => "macOS",
+        Some(p) if p.to_lowercase().contains("linux") => "Linux",
+        Some(p) if p.to_lowercase().contains("win") => "Windows",
+        Some(p) if p == "cli" => "CLI",
+        Some(p) => p,
+        None => "Unknown",
+    }.to_string()
+}
+
+fn truncate_string(s: &str, max_len: usize) -> String {
+    if s.len() > max_len {
+        format!("{}...", &s[..max_len - 3])
+    } else {
+        s.to_string()
+    }
+}
+
+fn format_relative_time(dt: &DateTime<Utc>) -> String {
+    let now = Utc::now();
+    let duration = now.signed_duration_since(*dt);
+
+    if duration.num_days() > 30 {
+        format!("{} months ago", duration.num_days() / 30)
+    } else if duration.num_days() > 0 {
+        format!("{} days ago", duration.num_days())
+    } else if duration.num_hours() > 0 {
+        format!("{} hours ago", duration.num_hours())
+    } else if duration.num_minutes() > 0 {
+        format!("{} mins ago", duration.num_minutes())
+    } else {
+        "Just now".to_string()
+    }
+}

src/auth/sessions.rs

@@ -153,6 +153,25 @@ pub enum AuthAction {
     /// List all API keys
     #[command(name = "list-keys")]
     ListKeys,
+    /// Manage CLI sessions
+    Sessions {
+        #[command(subcommand)]
+        action: SessionAction,
+    },
+}
+
+#[derive(Subcommand)]
+pub enum SessionAction {
+    /// List all active CLI sessions
+    List,
+    /// Revoke a specific CLI session
+    Revoke {
+        /// Session ID to revoke
+        id: String,
+    },
+    /// Revoke all CLI sessions (will log you out)
+    #[command(name = "revoke-all")]
+    RevokeAll,
 }
 
 #[derive(Subcommand)]