src/auth.js

@@ -6,7 +6,6 @@ const { getJwtSecret } = require("./securityConfig");
 
 const JWT_SECRET = getJwtSecret();
 const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || "7d";
-const MAX_CONCURRENT_SESSIONS = 2;
 
 const USER_CONTEXT_SELECT = `
   SELECT
@@ -170,25 +169,26 @@ function verifyToken(token) {
 
 async function startUserSession(userId, userAgent) {
   const sessionId = crypto.randomUUID();
-  await pool.query(
+  const client = await pool.connect();
+  try {
+    await client.query("BEGIN");
+    await client.query("SELECT id FROM users WHERE id = $1 FOR UPDATE", [userId]);
+    await client.query("DELETE FROM user_sessions WHERE user_id = $1", [userId]);
+    await client.query(
       "INSERT INTO user_sessions (id, user_id, user_agent, created_at) VALUES ($1, $2, $3, NOW())",
       [sessionId, userId, userAgent || null],
     );
-  await pool.query(
+    await client.query(
-    `DELETE FROM user_sessions
-     WHERE user_id = $1
-       AND id NOT IN (
-         SELECT id FROM user_sessions
-         WHERE user_id = $1
-         ORDER BY created_at DESC
-         LIMIT $2
-       )`,
-    [userId, MAX_CONCURRENT_SESSIONS],
-  );
-  await pool.query(
       "UPDATE users SET current_session_id = $1, current_session_started_at = NOW(), updated_at = NOW() WHERE id = $2",
       [sessionId, userId],
     );
+    await client.query("COMMIT");
+  } catch (error) {
+    await client.query("ROLLBACK");
+    throw error;
+  } finally {
+    client.release();
+  }
   return sessionId;
 }