From 8983c0d651343def8fcc8f502d97cd3a577ae5f6 Mon Sep 17 00:00:00 2001
From: jdl <jdl@private.local>
Date: Sat, 13 Jun 2026 18:03:44 +0200
Subject: [PATCH] Audit changes.

---
 hub/api/api.go   | 15 +++++++++++++--
 hub/api/types.go |  2 --
 hub/handler.go   |  4 ++--
 hub/handlers.go  |  5 ++++-
 4 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/hub/api/api.go b/hub/api/api.go
index 0922f30..e5ab748 100644
--- a/hub/api/api.go
+++ b/hub/api/api.go
@@ -134,14 +134,25 @@ func (a *API) Session_SignIn(pwd string) (Session, error) {
 	defer a.sessionsMu.Unlock()
 	s := &Session{
 		SessionID:  idgen.NewToken(),
-		SignedIn:   true,
-		CreatedAt:  time.Now(),
 		LastSeenAt: time.Now(),
 	}
 	a.sessions[s.SessionID] = s
 	return *s, nil
 }
 
+func (a *API) Session_InvalidateAll() Session {
+	a.sessionsMu.Lock()
+	defer a.sessionsMu.Unlock()
+
+	clear(a.sessions)
+	s := &Session{
+		SessionID:  idgen.NewToken(),
+		LastSeenAt: time.Now(),
+	}
+	a.sessions[s.SessionID] = s
+	return *s
+}
+
 // sweepSessions periodically evicts sessions past their TTL. Without it, a
 // signed-in session whose ID is never presented again would linger forever
 // (Session_Get only evicts on a lookup of that same ID).
diff --git a/hub/api/types.go b/hub/api/types.go
index f74a2c1..ac4837e 100644
--- a/hub/api/types.go
+++ b/hub/api/types.go
@@ -11,7 +11,5 @@ type Peer = db.Peer
 
 type Session struct {
 	SessionID  string
-	SignedIn   bool
-	CreatedAt  time.Time
 	LastSeenAt time.Time
 }
diff --git a/hub/handler.go b/hub/handler.go
index ec6aa21..b7a69b9 100644
--- a/hub/handler.go
+++ b/hub/handler.go
@@ -35,7 +35,7 @@ func (app *App) handlePub(pattern string, fn handlerFunc) {
 
 func (app *App) handleNotSignedIn(pattern string, fn handlerFunc) {
 	app.handlePub(pattern, func(s *api.Session, w http.ResponseWriter, r *http.Request) error {
-		if s.SignedIn {
+		if s.SessionID != "" {
 			http.Redirect(w, r, "/", http.StatusSeeOther)
 			return nil
 		}
@@ -45,7 +45,7 @@ func (app *App) handleNotSignedIn(pattern string, fn handlerFunc) {
 
 func (app *App) handleSignedIn(pattern string, fn handlerFunc) {
 	app.handlePub(pattern, func(s *api.Session, w http.ResponseWriter, r *http.Request) error {
-		if !s.SignedIn {
+		if s.SessionID == "" {
 			http.Redirect(w, r, "/", http.StatusSeeOther)
 			return nil
 		}
diff --git a/hub/handlers.go b/hub/handlers.go
index 869c423..71c122f 100644
--- a/hub/handlers.go
+++ b/hub/handlers.go
@@ -16,7 +16,7 @@ import (
 )
 
 func (a *App) _root(s *api.Session, w http.ResponseWriter, r *http.Request) error {
-	if s.SignedIn {
+	if s.SessionID != "" {
 		return a.redirect(w, r, "/admin/network/list/")
 	} else {
 		return a.redirect(w, r, "/sign-in/")
@@ -269,6 +269,9 @@ func (a *App) _adminPasswordSubmit(s *api.Session, w http.ResponseWriter, r *htt
 		return err
 	}
 
+	*s = a.api.Session_InvalidateAll()
+	a.setCookie(w, sessionIDCookieName, s.SessionID)
+
 	return a.redirect(w, r, "/admin/network/list/")
 }