Button to invalidate all existing session

[Soxasora]

Description

Completes #1017

NextAuth hates this one simple trick: we increment a column called sessionRev on User, if it's greater than sessionRev on token, we return an empty session.

Leveraging session polling we can check if the session has a correct sessionRev, comparing it with User's sessionRev.

In exploration

Screenshots

todo: Invalidate sessions obstacle

Additional Context

I got the idea by reading this

You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.

And thought: right we do look up the user anyway, we'll look up sessionRev too and give it to token.
But before surrendering on this concept, I'm going to explore if there's something feasible keeping the stateless nature of JWT

Checklist

Are your changes backwards compatible? Please answer below:
Yes, sessionRev defaults to 0 if the registered token doesn't have it already

On a scale of 1-10 how well and how have you QA'd this change and any features it might affect? Please answer below:
3, in testing, actually works

For frontend changes: Tested on mobile, light and dark mode? Please answer below:
n/a

Did you introduce any new environment variables? If so, call them out explicitly here:
No

Progress

• Explore coupling session token with a random generated key based on user as a less expensive invalidation method
• Invalidate sessions UI obstacle
• Handle multi-auth (at the moment it just refreshes /)
• Invalidate all sessions