chintakjoshi · chintakjoshi · Apr 19, 2026 · Apr 19, 2026
diff --git a/app/routers/_admin_access.py b/app/routers/_admin_access.py
@@ -3,14 +3,19 @@
 from __future__ import annotations
 
 import hmac
+import json
 from typing import Annotated
 
 from fastapi import Depends, Request
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from app.config import get_settings
+from app.core.browser_sessions import (
+    extract_access_token,
+    require_csrf_for_cookie_authenticated_request,
+)
 from app.dependencies import get_database_session
-from app.services.admin_service import AdminService, get_admin_service
+from app.services.admin_service import AdminService, AdminServiceError, get_admin_service
 
 
 def extract_bearer_token(request: Request) -> str | None:
@@ -38,6 +43,19 @@ async def require_admin_claims(
     admin_service: AdminService,
 ) -> dict[str, object]:
     """Validate caller as an admin via bootstrap key or bearer token."""
+    csrf_error = require_csrf_for_cookie_authenticated_request(request)
+    if csrf_error is not None:
+        try:
+            payload = json.loads(csrf_error.body.decode("utf-8"))
+        except Exception:
+            payload = {}
+        raise AdminServiceError(
+            detail=str(payload.get("detail", "Invalid CSRF token.")),
+            code=str(payload.get("code", "invalid_csrf_token")),
+            status_code=csrf_error.status_code,
+            headers=dict(csrf_error.headers),
+        )
+
     settings = get_settings()
     configured_admin_api_key = settings.admin_api_key
     supplied_admin_api_key = extract_admin_api_key(request)
@@ -60,7 +78,7 @@ async def require_admin_claims(
 
     claims = await admin_service.validate_admin_access_token(
         db_session=db_session,
-        token=extract_bearer_token(request),
+        token=extract_access_token(request)[0],
     )
     request.state.user = {
         "user_id": str(claims.get("sub", "")) or None,

diff --git a/app/routers/admin.py b/app/routers/admin.py
@@ -32,6 +32,7 @@
     AdminSessionRevokeRequest,
     AdminSessionRevokeResponse,
     AdminSigningKeyRotateResponse,
+    AdminSuspiciousSessionItem,
     AdminUserDeleteResponse,
     AdminUserDetail,
     AdminUserEraseResponse,
@@ -130,6 +131,24 @@ def _audit_log_item(row) -> AdminAuditLogItem:
     )
 
 
+def _session_item_payload(row) -> dict[str, object]:
+    """Serialize shared admin session fields for list and queue responses."""
+    return {
+        "session_id": row.session_id,
+        "user_id": row.user_id,
+        "created_at": row.created_at,
+        "last_seen_at": row.last_seen_at,
+        "expires_at": row.expires_at,
+        "revoked_at": row.revoked_at,
+        "revoke_reason": row.revoke_reason,
+        "ip_address": row.ip_address,
+        "user_agent": row.user_agent,
+        "device_label": parse_device_label(row.user_agent),
+        "is_suspicious": row.is_suspicious,
+        "suspicious_reasons": row.suspicious_reasons,
+    }
+
+
 def _session_filter_metadata(payload: AdminSessionFilterRevokeRequest) -> dict[str, object]:
     """Serialize only the explicit filtered-revoke selectors for audit/webhook metadata."""
     metadata: dict[str, object] = {}
@@ -433,6 +452,49 @@ async def revoke_user_sessions(
     )
 
 
+@router.get(
+    "/sessions/suspicious",
+    response_model=CursorPageResponse[AdminSuspiciousSessionItem],
+)
+async def list_suspicious_sessions(
+    request: Request,
+    db_session: Annotated[AsyncSession, Depends(get_database_session)],
+    admin_service: Annotated[AdminService, Depends(get_admin_service)],
+    email: Annotated[str | None, Query()] = None,
+    role: Annotated[str | None, Query()] = None,
+    cursor: Annotated[str | None, Query()] = None,
+    limit: Annotated[int, Query(ge=1, le=200)] = 50,
+) -> CursorPageResponse[AdminSuspiciousSessionItem] | JSONResponse:
+    """List active suspicious sessions across all users for security triage."""
+    try:
+        await _require_admin_claims(
+            request,
+            db_session=db_session,
+            admin_service=admin_service,
+        )
+        page = await admin_service.list_suspicious_sessions_page(
+            db_session=db_session,
+            email=email,
+            role=role,
+            cursor=cursor,
+            limit=limit,
+        )
+    except AdminServiceError as exc:
+        return _error_response(exc.status_code, exc.detail, exc.code, headers=exc.headers)
+    return CursorPageResponse(
+        data=[
+            AdminSuspiciousSessionItem(
+                user_email=row.user_email,
+                user_role=row.user_role,
+                **_session_item_payload(row),
+            )
+            for row in page.items
+        ],
+        next_cursor=page.next_cursor,
+        has_more=page.has_more,
+    )
+
+
 @router.get(
     "/users/{user_id}/sessions",
     response_model=CursorPageResponse[AdminSessionItem],
@@ -463,23 +525,7 @@ async def list_user_sessions(
     except AdminServiceError as exc:
         return _error_response(exc.status_code, exc.detail, exc.code, headers=exc.headers)
     return CursorPageResponse(
-        data=[
-            AdminSessionItem(
-                session_id=row.session_id,
-                user_id=row.user_id,
-                created_at=row.created_at,
-                last_seen_at=row.last_seen_at,
-                expires_at=row.expires_at,
-                revoked_at=row.revoked_at,
-                revoke_reason=row.revoke_reason,
-                ip_address=row.ip_address,
-                user_agent=row.user_agent,
-                device_label=parse_device_label(row.user_agent),
-                is_suspicious=row.is_suspicious,
-                suspicious_reasons=row.suspicious_reasons,
-            )
-            for row in page.items
-        ],
+        data=[AdminSessionItem(**_session_item_payload(row)) for row in page.items],
         next_cursor=page.next_cursor,
         has_more=page.has_more,
     )

diff --git a/app/schemas/admin.py b/app/schemas/admin.py
@@ -81,6 +81,13 @@ class AdminSessionItem(BaseModel):
     suspicious_reasons: list[str]
 
 
+class AdminSuspiciousSessionItem(AdminSessionItem):
+    """Admin-facing global suspicious-session row with user context."""
+
+    user_email: str
+    user_role: str
+
+
 class AdminSessionRevokeResponse(BaseModel):
     """Admin response for single-session revocation."""
 

diff --git a/app/services/admin_service.py b/app/services/admin_service.py
@@ -126,6 +126,14 @@ class AdminSessionSummary:
     suspicious_reasons: list[str]
 
 
+@dataclass(frozen=True)
+class AdminSuspiciousSessionSummary(AdminSessionSummary):
+    """Global suspicious-session row enriched with user identity details."""
+
+    user_email: str
+    user_role: str
+
+
 @dataclass(frozen=True)
 class AdminSessionDetailSummary(AdminSessionSummary):
     """Admin-facing session detail payload with attributable timeline events."""
@@ -512,6 +520,64 @@ async def list_user_sessions_page(
         ]
         return build_page(summaries, limit=limit)
 
+    async def list_suspicious_sessions_page(
+        self,
+        db_session: AsyncSession,
+        *,
+        email: str | None = None,
+        role: str | None = None,
+        cursor: str | None = None,
+        limit: int = 50,
+    ) -> CursorPage[AdminSuspiciousSessionSummary]:
+        """Return active suspicious sessions across all non-deleted users."""
+        limit = max(1, min(limit, 200))
+        cursor_position = decode_cursor(cursor) if cursor is not None else None
+        statement = (
+            select(Session, User.email, User.role)
+            .join(User, User.id == Session.user_id)
+            .where(
+                Session.deleted_at.is_(None),
+                Session.is_suspicious.is_(True),
+                Session.revoked_at.is_(None),
+                Session.expires_at > datetime.now(UTC),
+                User.deleted_at.is_(None),
+            )
+            .order_by(Session.created_at.desc(), Session.id.desc())
+        )
+        normalized_role = role.strip() if role is not None else None
+        if normalized_role:
+            statement = statement.where(User.role == normalized_role)
+        normalized_email = email.strip().lower() if email is not None else None
+        if normalized_email:
+            statement = statement.where(func.lower(User.email).like(f"%{normalized_email}%"))
+
+        statement = apply_created_at_cursor(
+            statement,
+            model=Session,
+            cursor=cursor_position,
+        ).limit(limit + 1)
+        rows = list((await db_session.execute(statement)).all())
+        summaries = [
+            AdminSuspiciousSessionSummary(
+                id=session_row.id,
+                session_id=session_row.session_id,
+                user_id=session_row.user_id,
+                created_at=session_row.created_at,
+                last_seen_at=session_row.last_seen_at,
+                expires_at=session_row.expires_at,
+                revoked_at=session_row.revoked_at,
+                revoke_reason=session_row.revoke_reason,
+                ip_address=session_row.ip_address,
+                user_agent=session_row.user_agent,
+                is_suspicious=bool(getattr(session_row, "is_suspicious", False)),
+                suspicious_reasons=list(getattr(session_row, "suspicious_reasons", []) or []),
+                user_email=str(user_email),
+                user_role=str(user_role),
+            )
+            for session_row, user_email, user_role in rows
+        ]
+        return build_page(summaries, limit=limit)
+
     async def get_user_session_detail(
         self,
         db_session: AsyncSession,

diff --git a/docs/admin-dashboard-integration.md b/docs/admin-dashboard-integration.md
@@ -100,12 +100,50 @@ friendly device label using `device_label` (server-derived).
 
 | Method | Path | Purpose | Step-Up |
 |--------|------|---------|---------|
+| GET | `/sessions/suspicious` | Global active suspicious-session queue | No |
 | GET | `/users/{user_id}/sessions` | List sessions for a user | No |
 | GET | `/users/{user_id}/sessions/{session_id}` | Session detail with attributable timeline | No |
 | POST | `/users/{user_id}/sessions/revoke-by-filter` | Preview or revoke sessions matching explicit selectors | Yes |
 | DELETE | `/users/{user_id}/sessions/{session_id}` | Revoke one session | Yes |
 | DELETE | `/users/{user_id}/sessions` | Revoke all sessions for a user | Yes |
 
+`GET /sessions/suspicious` query params:
+
+- `email` â€” optional case-insensitive email substring filter
+- `role` â€” optional exact auth role filter
+- `cursor` â€” opaque pagination cursor
+- `limit` â€” 1â€“200 (default 50)
+
+Suspicious queue item shape:
+
+```json
+{
+  "session_id": "uuid",
+  "user_id": "uuid",
+  "user_email": "person@example.com",
+  "user_role": "user",
+  "created_at": "2026-04-16T09:00:00Z",
+  "last_seen_at": "2026-04-16T10:15:00Z",
+  "expires_at": "2026-04-23T09:00:00Z",
+  "revoked_at": null,
+  "revoke_reason": null,
+  "ip_address": "203.0.113.10",
+  "user_agent": "Mozilla/5.0 ...",
+  "device_label": "Chrome on Windows",
+  "is_suspicious": true,
+  "suspicious_reasons": ["new_ip", "prior_failures"]
+}
+```
+
+Suspicious queue notes:
+
+- The queue only returns active suspicious sessions. Revoked, expired, and
+  soft-deleted-user sessions are excluded.
+- `user_email` and `user_role` let dashboards render a standalone global queue
+  without first hydrating the per-user directory.
+- Use this route for the top-level security triage queue; use the per-user
+  session routes after the operator drills into one account.
+
 `GET /users/{user_id}/sessions` query params:
 
 - `status` — `active`, `revoked`, or `all` (default `active`)
@@ -389,6 +427,14 @@ for supported query parameters.
 4. Action buttons wire to PATCH role, DELETE sessions, DELETE user, and
    PATCH OTP — each must first obtain an action token via the step-up flow.
 
+### Suspicious Queue
+
+1. `GET /admin/sessions/suspicious?limit=50` â€” initial global queue load
+2. Render email, role, device, IP, risk reasons, and last seen
+3. Use `next_cursor` to page through the queue
+4. Open the user workspace with `user_id`, then switch to per-user session
+   endpoints for deeper inspection or revoke actions
+
 ### Session Table Columns
 
 Recommended columns:

diff --git a/docs/service-api.md b/docs/service-api.md
@@ -108,7 +108,8 @@ The admin surface lives under `/admin/*`.
 Major areas include:
 
 - users (list, detail, role, delete, erase, OTP toggle)
-- sessions (per-user list, detail, single revoke, filtered revoke, bulk revoke)
+- sessions (global suspicious queue, per-user list, detail, single revoke,
+  filtered revoke, bulk revoke)
 - user history (per-user audit feed)
 - API keys
 - OAuth clients

diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "auth-service"
-version = "1.5.0"
+version = "1.5.1"
 description = "Authentication microservice and SDK scaffold."
 readme = "README.md"
 requires-python = ">=3.11"

diff --git a/sdk/pyproject.toml b/sdk/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "auth-service-sdk"
-version = "1.5.0"
+version = "1.5.1"
 description = "SDK middleware and client for auth-service token and API key verification."
 readme = "README.md"
 requires-python = ">=3.11"