fix(auth): improve sign out handling (#2030)

* fix(auth): create index on token table

* only terminate active sessions

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

internal/api/oidc/auth_request.go

@@ -154,6 +154,9 @@ func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID strin
 		logging.Log("OIDC-Ghgr3").WithError(err).Error("error retrieving user sessions")
 		return err
 	}
+	if len(userIDs) == 0 {
+		return nil
+	}
 	err = o.command.HumansSignOut(ctx, userAgentID, userIDs)
 	logging.Log("OIDC-Dggt2").OnError(err).Error("error signing out")
 	return err

internal/auth/repository/eventsourcing/eventstore/user.go

@@ -10,6 +10,7 @@ import (
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/auth/repository/eventsourcing/view"
 	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/v1"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
@@ -137,9 +138,11 @@ func (repo *UserRepo) UserSessionUserIDsByAgentID(ctx context.Context, agentID s
 	if err != nil {
 		return nil, err
 	}
-	userIDs := make([]string, len(userSessions))
-	for i, session := range userSessions {
-		userIDs[i] = session.UserID
+	userIDs := make([]string, 0, len(userSessions))
+	for _, session := range userSessions {
+		if session.State == int32(domain.UserSessionStateActive) {
+			userIDs = append(userIDs, session.UserID)
+		}
 	}
 	return userIDs, nil
 }

migrations/cockroach/V1.56__token_idx.sql

@@ -0,0 +1 @@
+CREATE INDEX IF NOT EXISTS user_user_agent_idx ON auth.tokens (user_id, user_agent_id);