NEW Add onBeforeRemoveLoginSession extension hook

composer.json

@@ -33,7 +33,8 @@
         "symbiote/silverstripe-queuedjobs": "^4"
     },
     "suggest": {
-        "symbiote/silverstripe-queuedjobs": "^4"
+        "symbiote/silverstripe-queuedjobs": "^4",
+        "silverstripe/auditor": "^2.3"
     },
     "autoload": {
         "psr-4": {

src/Control/LoginSessionController.php

@@ -0,0 +1,88 @@
+<?php
+
+namespace SilverStripe\SessionManager\Control;
+
+use SilverStripe\Admin\LeftAndMain;
+use SilverStripe\Control\HTTPRequest;
+use SilverStripe\Control\HTTPResponse;
+use SilverStripe\Security\Member;
+use SilverStripe\Security\Security;
+use SilverStripe\Security\SecurityToken;
+use SilverStripe\SessionManager\Model\LoginSession;
+
+// TODO: extend Controller instead of LeftAndMain?
+class LoginSessionController extends LeftAndMain
+{
+    private static $url_segment = 'loginsession';
+
+    // TODO: ignore_menuitem is legacy and not used anywhere else, work out what intention behind
+    // this was an reimplement
+    private static $ignore_menuitem = true;
+
+    private static $url_handlers = [
+        // TODO: 'DELETE remove/$ID' => 'remove',
+        'DELETE remove/$ID' => 'removeLoginSession'
+    ];
+
+    private static $allowed_actions = [
+        // TODO: 'remove'
+        'removeLoginSession',
+    ];
+
+    /**
+     * Remove the specified login session
+     *
+     * @param HTTPRequest $request
+     * @return HTTPResponse
+     */
+    // TODO: rename to 'remove'
+    public function removeLoginSession(HTTPRequest $request): HTTPResponse
+    {
+        // Ensure CSRF protection
+        if (!SecurityToken::inst()->checkRequest($request)) {
+            return $this->jsonResponse(
+                ['errors' => 'Request timed out, please try again'],
+                400
+            );
+        }
+
+        $id = $request->param('ID');
+        $loginSession = LoginSession::get()->byID($id);
+        if (!$loginSession) {
+            return $this->jsonResponse(
+                ['errors' => 'Something went wrong.'],
+                400
+            );
+        }
+
+        if (!$loginSession->canDelete()) {
+            return $this->jsonResponse(
+                ['errors' => 'You do not have permission to delete this record.'],
+                400
+            );
+        }
+
+        $this->extend('onBeforeRemoveLoginSession', $loginSession);
+
+        $loginSession->delete();
+
+        return $this->jsonResponse([
+            'success' => true,
+        ]);
+    }
+
+    /**
+     * Respond with the given array as a JSON response
+     *
+     * @param array $response
+     * @param int $code The HTTP response code to set on the response
+     * @return HTTPResponse
+     */
+    // TODO: change visibility to private
+    protected function jsonResponse(array $response, int $code = 200): HTTPResponse
+    {
+        return HTTPResponse::create(json_encode($response))
+            ->addHeader('Content-Type', 'application/json')
+            ->setStatusCode($code);
+    }
+}

src/Security/LogInAuthenticationHandler.php

@@ -94,15 +94,17 @@ public function logIn(Member $member, $persistent = false, HTTPRequest $request
         }
 
         $loginSession->LastAccessed = DBDatetime::now()->Rfc2822();
-        $loginSession->IPAddress = $request->getIP();
+        $loginSession->IPAddress = $request ? $request->getIP() : '';
         $loginSession->write();
 
         if ($persistent && $rememberLoginHash = $this->getRememberLoginHash()) {
             $rememberLoginHash->LoginSessionID = $loginSession->ID;
             $rememberLoginHash->write();
         }
 
-        $request->getSession()->set($this->getSessionVariable(), $loginSession->ID);
+        if ($request) {
+            $request->getSession()->set($this->getSessionVariable(), $loginSession->ID);
+        }
     }
 
     /**