From 61173290579226e5790e64dfafec7c87701ebb1d Mon Sep 17 00:00:00 2001
From: Brandon Wees <brandonwees@gmail.com>
Date: Thu, 15 May 2025 13:34:33 -0500
Subject: [PATCH] feat: add session creation endpoint (#18295)

---
 mobile/openapi/README.md                      | Bin 35130 -> 35337 bytes
 mobile/openapi/lib/api.dart                   | Bin 12554 -> 12639 bytes
 mobile/openapi/lib/api/sessions_api.dart      | Bin 3852 -> 5527 bytes
 mobile/openapi/lib/api_client.dart            | Bin 31926 -> 32110 bytes
 mobile/openapi/lib/model/permission.dart      | Bin 15823 -> 15989 bytes
 .../openapi/lib/model/session_create_dto.dart | Bin 0 -> 4733 bytes
 .../model/session_create_response_dto.dart    | Bin 0 -> 4414 bytes
 open-api/immich-openapi-specs.json            |  92 ++++++++++++++++++
 open-api/typescript-sdk/src/fetch-client.ts   |  28 ++++++
 server/src/controllers/session.controller.ts  |  10 +-
 server/src/db.d.ts                            |   2 +
 server/src/dtos/session.dto.ts                |  24 +++++
 server/src/enum.ts                            |   1 +
 server/src/queries/session.repository.sql     |   4 +
 server/src/repositories/crypto.repository.ts  |   2 +-
 server/src/repositories/session.repository.ts |  17 ++++
 .../1747329504572-AddNewSessionColumns.ts     |  15 +++
 server/src/schema/tables/session.table.ts     |   6 ++
 server/src/services/api-key.service.spec.ts   |   8 +-
 server/src/services/api-key.service.ts        |   7 +-
 server/src/services/auth.service.ts           |   8 +-
 server/src/services/cli.service.ts            |   2 +-
 server/src/services/session.service.spec.ts   |  25 +----
 server/src/services/session.service.ts        |  33 ++++---
 .../repositories/crypto.repository.mock.ts    |   2 +-
 server/test/small.factory.ts                  |   2 +
 .../user-settings-page/device-card.svelte     |   3 +
 27 files changed, 241 insertions(+), 50 deletions(-)
 create mode 100644 mobile/openapi/lib/model/session_create_dto.dart
 create mode 100644 mobile/openapi/lib/model/session_create_response_dto.dart
 create mode 100644 server/src/schema/migrations/1747329504572-AddNewSessionColumns.ts

diff --git a/mobile/openapi/README.md b/mobile/openapi/README.md
index 3aed98adf184d59719c9747b26bc68b3199badec..9544b2ddab131dc86d4e5a32ea73fcc3a85489ff 100644
GIT binary patch
delta 116
zcmdlriK%l6(}q4vmgJ(;#L2%c6~#e}lGNhV;^NHwJWYif1ud-r|KO0xS1dI*PqB=$
zGH?bfa4E@;)kw)t*4Gb)D1{5_<)&zIDd;LhLnS7E43U^r!akWlRBH3{;$Tq#=%6aw

delta 23
fcmeC2!nA7=(}q6F$?sIzHh;E^vf8}2#77hWer^g$

diff --git a/mobile/openapi/lib/api.dart b/mobile/openapi/lib/api.dart
index b2cbe222e82bf5161a7c3a9dfe353a9a5f5f202d..d0e39e09658d776811b1c9de03511f9ae9a6bed4 100644
GIT binary patch
delta 27
jcmeB5x}UTmLVofk1$nmA;^NHwyvcU#8k+;;cL@Rjpe71^

delta 12
Tcmcbg)RnX$LVojF`AvcVC^H3@

diff --git a/mobile/openapi/lib/api/sessions_api.dart b/mobile/openapi/lib/api/sessions_api.dart
index 203f801b72f950fbac8f25052ef41745ab04e4d1..9f850fb4c88dcd2b87d80bb5ff4545b55cae77be 100644
GIT binary patch
delta 446
zcmeB?o36d#03%C)e{jg;V~i$~>sb{PQ;Ul;^YfgGQWHy3T}tv}6^hYBCfjj{P2R`K
zWt|LG6AY0K&n(ICC@CrM%uCDHfQrEl!8GGFYw+Z1CTn2@TTHnCu4O{%i3J5YnaPPI
zK)2{;73b%vPmW=>hPZSt^Q6h597MX*3&kx#sl^5PdBq@)+1n|gcz_5;7jmd+qv%2L
zG<rDcY&PV%$H-okT2fk+r!YB$PjRv=r-Flyf;uiIsq1JeBo-^+lD6hj0D{Ty_+&OO
IXH4Y<03Cs&ZU6uP

delta 12
TcmbQP-6OZ*0OMwF4j*0sAFTvE

diff --git a/mobile/openapi/lib/api_client.dart b/mobile/openapi/lib/api_client.dart
index cdd69307ad925f97caa42432bfa9ee53a967703c..f40d09ecc3952bc4735d93a28887aeb9af47d370 100644
GIT binary patch
delta 55
zcmdn?lkwdz#toALCcn3mWerX(F3y~+;G)e1X65HO7o|=v^i*Ppawl(;GTht~prr!<
DmKPQZ

delta 14
WcmaF&i*ege#toALHhTvu>i_^e+6K!2

diff --git a/mobile/openapi/lib/model/permission.dart b/mobile/openapi/lib/model/permission.dart
index 1735bc2eb5ca4b1cca1ea7a085130ae1ece90f71..73ecbd5868492d2ba18d7a7cb0c0d1ede600ed02 100644
GIT binary patch
delta 73
zcmX?K{k3MpF~P|*c_k(*2ysk4#3niUw;=E2m%L&i{^lownLKRHMX8A;sgnccgg5)j
d9TT4{WFa$I*NkWK5;gJ3er6n-h0XS`0{{)n8NmPm

delta 22
ecmexbbG~}RF~Q9|LhU@8*T@|c-@Mao4?6&Yj0$D|

diff --git a/mobile/openapi/lib/model/session_create_dto.dart b/mobile/openapi/lib/model/session_create_dto.dart
new file mode 100644
index 0000000000000000000000000000000000000000..aacf1150a51e3e817baeff8b0cecd7b2dfae7b16
GIT binary patch
literal 4733
zcmeHLTW=ai6n^Jd99vPq>INr$ib%nUV!KKjn<{oIRmei)-2o<9cInKl5pwwN{mxuq
zxj43}s!w@{1GDG;edo+sj*lD1$Mo)x>;8*h&o0kCzq>v=rSlJ;&JsH9(`EmfF8Ze*
z&i^`q7)!p*gtpzE+pk_X_^TQhrIy1{sfQz#%MMjVWn?y#xtz+vCh@zP&Pr|fYKVL;
z7G^lB>`=?UE2W`ch$;TggvS3?Y6Iii>{n0A!dOw*p~~P;jg-_*-RyOit3sM#UKV4B
z*@-BIuU`(+iO{CefICa&h{~BP#7wpE?@gnT=E4}dlE$dAc(0|f^3;}e-yk|h0X|Dx
z>B5kpLe6QhEq6o8g_p`U6t<tX*b0%IDAUg5ol0f@D%n1|Ud&|uu+qXJ6h2xWAwU<0
z|4YB;QW!}^X#vGG%+gFF9c>q6CS{dpG!b`_Zlx?BRJ<svJQugQJfJI8q!N)xGBcT?
zjH&ZNjA}5RmC~?jq?G1WCXsU{N21Ct-HE)C)T)ds#?HuLc+xpsMR1hRq@2q;sS_tM
zmW4zrG7IKSS!sljmasgnjHQvtbGjAjS3<oJH`_*;L&#)N7cMHJ@E#-p{+dLVd9ghK
zAnpeebPk}8$0!+BFBpdTE30Ag1gUy_epLMbtvJ&^)|`xQL&{<kFs4Rg24u!lArRt1
z6>3^dJuy4<YUAOLF8R;9q^PE7k${SW>urfn*Jvt~{<bW09;;~gQd76v>fe5mDTXcP
zjXt7okNogXMc(2TOyZMo-~1;+TW$|edj1@y$qTH;C#<hpb)N*&X)WWvZQ2PrIGKm?
zQH7<kv=~Ze@}B2ax937xU5I=S7BU4}g<kMIhO22Jjbf4#wc;#cCp^#SgkDl-7570q
z8a|?*>KZZl9UXqKPpg(pT_+sZG<G2KV-JJTe`q<Bn%fu*VkX^Z@lz7g;E>`ef5v%m
zi_`Gwrs@1%h}kdR4TKiB`&HV5=Z~f=;Md=gBUOl;zTk+uv?G1LeB<h*M&t;zro(}+
za5O{C#6UM=xXl~b+qi(er6tK6H>r0HT=(j6O@sJ8_YSV_2f!lRA@JE#f>`N397e?d
z!61S_Erf9LNC0)cZTH%(M6O_LWf@kKr>{yRij4fmXh>P(r?{b!E~hZa7yiI)9N4Z#
z5NPuHH2{ll65md4uFRDQ*Lc`cJ6J{J2z#Gf8FiIn7?~lDsUbE<tI{Es%}MEQ5`VBW
zb52|gj+lX{KDJ1&YBts);{~zh0!-*|yJZfsv+)pMs`|AFvkkFF6NHtkMs+9BPKB{M
zq;L7{kBx<rZ~JOFPb?7W-l3_O{mI)}f5iL=Mtd#ptb}TPapZT-wK9u8QQa}KZXnR5
z19+xwj6)+^&1d)QlUs2`re$-b6sojz8HDsA(Hx@!LZ1{@W@|g|QI6wt&}9QEpX0r|
zjmEm1^X7~0$DV0qvWx)u@@r{$vE^B_ZG3REMvzVN<-}p&x^bj$D|1=ev+2w(qD_E`
zi?0<-mvdfQSatn8!tN>2-C<sv$?vj3;GsB-&6-9#J<gAP8f~n_o@_NuUs~=@7ThRw
z(6S|`)rzI+Q2gYq)KREU@SS=w<@RC`v-f3zRDHDXn5obBSa$gRZq=P!*Q4@K4`H6H
z2Sj}19O9)9@3#C7>+kFh1aYbt5yLirQ_{q2xSBqr$FX#V+D@*9%p;hhPy?^{RWA7Y
za{8W=YbYb68^A)fHj)__9-XdArC-VB%1&^^{lo9V+bF#7V$cdxnO~jo9>}lGum&oH
zzPza2>CB?tHtMkgKibQUgr3%?uu*5t1FrrJcb-U#r%)`6;o1y%ltIXA6Xb0q+6>XE
zbTuL+t2SLXY_ek4o^FS$8YzzPyMbKcAAgY{P|aXZ5`dZC&2J@NrUq`g4Fr9>>R<9Z
bb3otSuoyo6=bYbIceS<k?jeVL4fEq4UCjQy

literal 0
HcmV?d00001

diff --git a/mobile/openapi/lib/model/session_create_response_dto.dart b/mobile/openapi/lib/model/session_create_response_dto.dart
new file mode 100644
index 0000000000000000000000000000000000000000..1ef346c96a4a2fe7d519e34aeb556fe4fac2b148
GIT binary patch
literal 4414
zcmbVPZExE)5dQ98aV>({!Bl74ry`xb7EL;|Yh$3z1`I|ZFcKZJQzVU~8W?H*`|ge}
zl47X|`XLT^FXX*EcSju^O^%M>^<U?!=YO1@oql?KetH6L-+eeu;A917t8@6cI(hf@
zpC>3rlCN^1?c&$@FE1vvRaa%DWxA<!x>1EZhNf(c%u`v&YgyVP?A3K$X*;MPiW{*r
zY2DaV%l{gsQN0w`_*)B&|E<&p57%Z`J*!G%MQKx&<ArLYq-J$9cv+!JY0{!9uTacx
zMVY?%InB00o5=*PvruiIs%0r^HOIe~lSx(xW8kwiMpfk-Erpezq^a>%d15QLod6tR
zAU;Xk=+c0IQr^INO#T8Co14iwDvn9b=v06Z4zOEg<{96ezqZK`v(cL3J;2K4SCz@t
z=W*Wou9ibwl@C#E^{*_47)_mHaJ+$chZsBb&}vm)LA0HTmsM3j<}B_?1xxp7WMP-8
z^6ri;>Jp+QOng;+m0BY_&>p@T6Rd@;G%Oag)#VqNVcP9h>O)v8!NDjK#f+k!1kSf_
zZUyQ)V0iY7<Ijh+`NC`306<^H1%V~}vd0e*A%VCakf8XqGQ8_ashqg@+oN*ah~XAJ
zUJN1e<7O|Os<dz=Eo_C^zNvCFV#y(ht${j1DKjh|p?6f#h|;Yz%COih0%IOdIE0@(
z%LQbg5dtyBA@}!rD&MEE-}~g~Zp+$p+ymQIZZTu*Oveg(9sOJ!#AOm{0BO$GBqn)r
z5WEaD@+weionSf_2Uwymdy4~h1{-du!o@*cUQF5kkD~s~nTv<+u*a%wiQ4Z?Rigc_
z=WJ9d3iyH~Siqk2?cGaG4zR>pPop!_3zYBosr#bN$Bv*Q+!G6aw{n3pC`h5WFG{p~
z!YXftsCiI(jZSdnT0U>@iNsL0Vv*!TH4gxe3lZ+9`~A>h08!@P=A{8;4SW?vBMoeH
zb?whwGYMzO1_h=xbk>;Liv-H1C|sYqQHDoMrx0r`H#qfpVCp8r253@hjVaDgtFjbF
z?Y7FPFdboZJpInLFl;=GoQ(lPO?{<BPUCULh9>ZItT3M9n4nCcCr+07EBX?S0_Xvf
zkDF)0*ga^@+`ys3d@9E7obin$7}0wS*P{NL;=I}rdi?3j85KeTU7R02akG#09fJ3?
zY07kTJ@C7l0n>Y`u0C7kAUNIECPN>o&sEYrLFEr>V##zhxGEl0a;4POi)HelZj|iY
z>)~<7Df4+HkjE19Q2n3?5+jeaB^1bhi}lmPtjp~!KMAgMbt5hdoL{gJg^|f!K%m2)
zmZm8zx5Tka))y_5>1aYSnT0c#yTV+Vv&x=c*LD}qMs(vVWah7^Zt!u)qAfq*pMj6p
zkGVLf?!exmBR*(^(6+9gEVw&#kETi?x8@?xUG;S|UC61C(K)>Ycr9Czd$SO_V+bog
zg&UyHPIvH(d9b7s9L!NL*@X$EI1T);OhyB;45Nx75YmBmd^Z~`w{Y1SYckl>{a4R1
z#1E7dzY*|Lh(3AT!={&6r0QMB?VNT>n&1^h*Ln8%9P@#5mhWWjfm~zY)=u$Xxua>#
z`VO;gibJY<2}jjfaOgg6Y36XWD))ZAQFe<Ysx$h88cXtXCyv^Ftl{$m)##g&PDQ8<
zAcjyjUfYZt5*fr!0*|Y2yu6F52d?}PY&{Y-kAa|{U!C6ZAi~hUe)7jMG^Z5CP<DWp
z#PV(nJ&EWW=n{Bk2Q)`;zLgOl@yiyWXz<x6F#Qce=TZW`QVd>8<s#ty=hYc~D0@`!
z(<Ocu|4F*>k-EI)uykIeZcb1A+j{D^aiI40JRm&<2cKWLY34WWcp?Hmgt5c@57;l1
AtN;K2

literal 0
HcmV?d00001

diff --git a/open-api/immich-openapi-specs.json b/open-api/immich-openapi-specs.json
index 2dbec3507..d4a1e219c 100644
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@@ -5618,6 +5618,46 @@
         "tags": [
           "Sessions"
         ]
+      },
+      "post": {
+        "operationId": "createSession",
+        "parameters": [],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/SessionCreateDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "201": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/SessionCreateResponseDto"
+                }
+              }
+            },
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          },
+          {
+            "cookie": []
+          },
+          {
+            "api_key": []
+          }
+        ],
+        "tags": [
+          "Sessions"
+        ]
       }
     },
     "/sessions/{id}": {
@@ -11052,6 +11092,7 @@
           "person.statistics",
           "person.merge",
           "person.reassign",
+          "session.create",
           "session.read",
           "session.update",
           "session.delete",
@@ -12038,6 +12079,57 @@
         ],
         "type": "object"
       },
+      "SessionCreateDto": {
+        "properties": {
+          "deviceOS": {
+            "type": "string"
+          },
+          "deviceType": {
+            "type": "string"
+          },
+          "duration": {
+            "description": "session duration, in seconds",
+            "minimum": 1,
+            "type": "number"
+          }
+        },
+        "type": "object"
+      },
+      "SessionCreateResponseDto": {
+        "properties": {
+          "createdAt": {
+            "type": "string"
+          },
+          "current": {
+            "type": "boolean"
+          },
+          "deviceOS": {
+            "type": "string"
+          },
+          "deviceType": {
+            "type": "string"
+          },
+          "id": {
+            "type": "string"
+          },
+          "token": {
+            "type": "string"
+          },
+          "updatedAt": {
+            "type": "string"
+          }
+        },
+        "required": [
+          "createdAt",
+          "current",
+          "deviceOS",
+          "deviceType",
+          "id",
+          "token",
+          "updatedAt"
+        ],
+        "type": "object"
+      },
       "SessionResponseDto": {
         "properties": {
           "createdAt": {
diff --git a/open-api/typescript-sdk/src/fetch-client.ts b/open-api/typescript-sdk/src/fetch-client.ts
index ad7413e6f..de0a723ff 100644
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@@ -1078,6 +1078,21 @@ export type SessionResponseDto = {
     id: string;
     updatedAt: string;
 };
+export type SessionCreateDto = {
+    deviceOS?: string;
+    deviceType?: string;
+    /** session duration, in seconds */
+    duration?: number;
+};
+export type SessionCreateResponseDto = {
+    createdAt: string;
+    current: boolean;
+    deviceOS: string;
+    deviceType: string;
+    id: string;
+    token: string;
+    updatedAt: string;
+};
 export type SharedLinkResponseDto = {
     album?: AlbumResponseDto;
     allowDownload: boolean;
@@ -2917,6 +2932,18 @@ export function getSessions(opts?: Oazapfts.RequestOpts) {
         ...opts
     }));
 }
+export function createSession({ sessionCreateDto }: {
+    sessionCreateDto: SessionCreateDto;
+}, opts?: Oazapfts.RequestOpts) {
+    return oazapfts.ok(oazapfts.fetchJson<{
+        status: 201;
+        data: SessionCreateResponseDto;
+    }>("/sessions", oazapfts.json({
+        ...opts,
+        method: "POST",
+        body: sessionCreateDto
+    })));
+}
 export function deleteSession({ id }: {
     id: string;
 }, opts?: Oazapfts.RequestOpts) {
@@ -3678,6 +3705,7 @@ export enum Permission {
     PersonStatistics = "person.statistics",
     PersonMerge = "person.merge",
     PersonReassign = "person.reassign",
+    SessionCreate = "session.create",
     SessionRead = "session.read",
     SessionUpdate = "session.update",
     SessionDelete = "session.delete",
diff --git a/server/src/controllers/session.controller.ts b/server/src/controllers/session.controller.ts
index d526c2e59..addcfd8fe 100644
--- a/server/src/controllers/session.controller.ts
+++ b/server/src/controllers/session.controller.ts
@@ -1,7 +1,7 @@
-import { Controller, Delete, Get, HttpCode, HttpStatus, Param } from '@nestjs/common';
+import { Body, Controller, Delete, Get, HttpCode, HttpStatus, Param, Post } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { SessionResponseDto } from 'src/dtos/session.dto';
+import { SessionCreateDto, SessionCreateResponseDto, SessionResponseDto } from 'src/dtos/session.dto';
 import { Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { SessionService } from 'src/services/session.service';
@@ -12,6 +12,12 @@ import { UUIDParamDto } from 'src/validation';
 export class SessionController {
   constructor(private service: SessionService) {}
 
+  @Post()
+  @Authenticated({ permission: Permission.SESSION_CREATE })
+  createSession(@Auth() auth: AuthDto, @Body() dto: SessionCreateDto): Promise<SessionCreateResponseDto> {
+    return this.service.create(auth, dto);
+  }
+
   @Get()
   @Authenticated({ permission: Permission.SESSION_READ })
   getSessions(@Auth() auth: AuthDto): Promise<SessionResponseDto[]> {
diff --git a/server/src/db.d.ts b/server/src/db.d.ts
index 1fd7fdc22..6efbd5f7d 100644
--- a/server/src/db.d.ts
+++ b/server/src/db.d.ts
@@ -343,6 +343,8 @@ export interface Sessions {
   deviceOS: Generated<string>;
   deviceType: Generated<string>;
   id: Generated<string>;
+  parentId: string | null;
+  expiredAt: Date | null;
   token: string;
   updatedAt: Generated<Timestamp>;
   updateId: Generated<string>;
diff --git a/server/src/dtos/session.dto.ts b/server/src/dtos/session.dto.ts
index b54264a5b..f109e44fa 100644
--- a/server/src/dtos/session.dto.ts
+++ b/server/src/dtos/session.dto.ts
@@ -1,4 +1,24 @@
+import { IsInt, IsPositive, IsString } from 'class-validator';
 import { Session } from 'src/database';
+import { Optional } from 'src/validation';
+
+export class SessionCreateDto {
+  /**
+   * session duration, in seconds
+   */
+  @IsInt()
+  @IsPositive()
+  @Optional()
+  duration?: number;
+
+  @IsString()
+  @Optional()
+  deviceType?: string;
+
+  @IsString()
+  @Optional()
+  deviceOS?: string;
+}
 
 export class SessionResponseDto {
   id!: string;
@@ -9,6 +29,10 @@ export class SessionResponseDto {
   deviceOS!: string;
 }
 
+export class SessionCreateResponseDto extends SessionResponseDto {
+  token!: string;
+}
+
 export const mapSession = (entity: Session, currentId?: string): SessionResponseDto => ({
   id: entity.id,
   createdAt: entity.createdAt.toISOString(),
diff --git a/server/src/enum.ts b/server/src/enum.ts
index fedfaa6b7..c6feb27dc 100644
--- a/server/src/enum.ts
+++ b/server/src/enum.ts
@@ -144,6 +144,7 @@ export enum Permission {
   PERSON_MERGE = 'person.merge',
   PERSON_REASSIGN = 'person.reassign',
 
+  SESSION_CREATE = 'session.create',
   SESSION_READ = 'session.read',
   SESSION_UPDATE = 'session.update',
   SESSION_DELETE = 'session.delete',
diff --git a/server/src/queries/session.repository.sql b/server/src/queries/session.repository.sql
index c2daa2a49..b265380a1 100644
--- a/server/src/queries/session.repository.sql
+++ b/server/src/queries/session.repository.sql
@@ -36,6 +36,10 @@ from
   "sessions"
 where
   "sessions"."token" = $1
+  and (
+    "sessions"."expiredAt" is null
+    or "sessions"."expiredAt" > $2
+  )
 
 -- SessionRepository.getByUserId
 select
diff --git a/server/src/repositories/crypto.repository.ts b/server/src/repositories/crypto.repository.ts
index e471ccb03..c3136db45 100644
--- a/server/src/repositories/crypto.repository.ts
+++ b/server/src/repositories/crypto.repository.ts
@@ -54,7 +54,7 @@ export class CryptoRepository {
     });
   }
 
-  newPassword(bytes: number) {
+  randomBytesAsText(bytes: number) {
     return randomBytes(bytes).toString('base64').replaceAll(/\W/g, '');
   }
 }
diff --git a/server/src/repositories/session.repository.ts b/server/src/repositories/session.repository.ts
index 742807dc9..ce819470c 100644
--- a/server/src/repositories/session.repository.ts
+++ b/server/src/repositories/session.repository.ts
@@ -1,6 +1,7 @@
 import { Injectable } from '@nestjs/common';
 import { Insertable, Kysely, Updateable } from 'kysely';
 import { jsonObjectFrom } from 'kysely/helpers/postgres';
+import { DateTime } from 'luxon';
 import { InjectKysely } from 'nestjs-kysely';
 import { columns } from 'src/database';
 import { DB, Sessions } from 'src/db';
@@ -13,6 +14,19 @@ export type SessionSearchOptions = { updatedBefore: Date };
 export class SessionRepository {
   constructor(@InjectKysely() private db: Kysely<DB>) {}
 
+  cleanup() {
+    return this.db
+      .deleteFrom('sessions')
+      .where((eb) =>
+        eb.or([
+          eb('updatedAt', '<=', DateTime.now().minus({ days: 90 }).toJSDate()),
+          eb.and([eb('expiredAt', 'is not', null), eb('expiredAt', '<=', DateTime.now().toJSDate())]),
+        ]),
+      )
+      .returning(['id', 'deviceOS', 'deviceType'])
+      .execute();
+  }
+
   @GenerateSql({ params: [{ updatedBefore: DummyValue.DATE }] })
   search(options: SessionSearchOptions) {
     return this.db
@@ -37,6 +51,9 @@ export class SessionRepository {
         ).as('user'),
       ])
       .where('sessions.token', '=', token)
+      .where((eb) =>
+        eb.or([eb('sessions.expiredAt', 'is', null), eb('sessions.expiredAt', '>', DateTime.now().toJSDate())]),
+      )
       .executeTakeFirst();
   }
 
diff --git a/server/src/schema/migrations/1747329504572-AddNewSessionColumns.ts b/server/src/schema/migrations/1747329504572-AddNewSessionColumns.ts
new file mode 100644
index 000000000..d3cf8de17
--- /dev/null
+++ b/server/src/schema/migrations/1747329504572-AddNewSessionColumns.ts
@@ -0,0 +1,15 @@
+import { Kysely, sql } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await sql`ALTER TABLE "sessions" ADD "expiredAt" timestamp with time zone;`.execute(db);
+  await sql`ALTER TABLE "sessions" ADD "parentId" uuid;`.execute(db);
+  await sql`ALTER TABLE "sessions" ADD CONSTRAINT "FK_afbbabbd7daf5b91de4dca84de8" FOREIGN KEY ("parentId") REFERENCES "sessions" ("id") ON UPDATE CASCADE ON DELETE CASCADE;`.execute(db);
+  await sql`CREATE INDEX "IDX_afbbabbd7daf5b91de4dca84de" ON "sessions" ("parentId")`.execute(db);
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await sql`DROP INDEX "IDX_afbbabbd7daf5b91de4dca84de";`.execute(db);
+  await sql`ALTER TABLE "sessions" DROP CONSTRAINT "FK_afbbabbd7daf5b91de4dca84de8";`.execute(db);
+  await sql`ALTER TABLE "sessions" DROP COLUMN "expiredAt";`.execute(db);
+  await sql`ALTER TABLE "sessions" DROP COLUMN "parentId";`.execute(db);
+}
diff --git a/server/src/schema/tables/session.table.ts b/server/src/schema/tables/session.table.ts
index 090b469b5..9cc41c5bb 100644
--- a/server/src/schema/tables/session.table.ts
+++ b/server/src/schema/tables/session.table.ts
@@ -25,9 +25,15 @@ export class SessionTable {
   @UpdateDateColumn()
   updatedAt!: Date;
 
+  @Column({ type: 'timestamp with time zone', nullable: true })
+  expiredAt!: Date | null;
+
   @ForeignKeyColumn(() => UserTable, { onUpdate: 'CASCADE', onDelete: 'CASCADE' })
   userId!: string;
 
+  @ForeignKeyColumn(() => SessionTable, { onUpdate: 'CASCADE', onDelete: 'CASCADE', nullable: true })
+  parentId!: string | null;
+
   @Column({ default: '' })
   deviceType!: string;
 
diff --git a/server/src/services/api-key.service.spec.ts b/server/src/services/api-key.service.spec.ts
index 680cd38f1..784c94414 100644
--- a/server/src/services/api-key.service.spec.ts
+++ b/server/src/services/api-key.service.spec.ts
@@ -18,7 +18,7 @@ describe(ApiKeyService.name, () => {
       const apiKey = factory.apiKey({ userId: auth.user.id, permissions: [Permission.ALL] });
       const key = 'super-secret';
 
-      mocks.crypto.newPassword.mockReturnValue(key);
+      mocks.crypto.randomBytesAsText.mockReturnValue(key);
       mocks.apiKey.create.mockResolvedValue(apiKey);
 
       await sut.create(auth, { name: apiKey.name, permissions: apiKey.permissions });
@@ -29,7 +29,7 @@ describe(ApiKeyService.name, () => {
         permissions: apiKey.permissions,
         userId: apiKey.userId,
       });
-      expect(mocks.crypto.newPassword).toHaveBeenCalled();
+      expect(mocks.crypto.randomBytesAsText).toHaveBeenCalled();
       expect(mocks.crypto.hashSha256).toHaveBeenCalled();
     });
 
@@ -38,7 +38,7 @@ describe(ApiKeyService.name, () => {
       const apiKey = factory.apiKey({ userId: auth.user.id });
       const key = 'super-secret';
 
-      mocks.crypto.newPassword.mockReturnValue(key);
+      mocks.crypto.randomBytesAsText.mockReturnValue(key);
       mocks.apiKey.create.mockResolvedValue(apiKey);
 
       await sut.create(auth, { permissions: [Permission.ALL] });
@@ -49,7 +49,7 @@ describe(ApiKeyService.name, () => {
         permissions: [Permission.ALL],
         userId: auth.user.id,
       });
-      expect(mocks.crypto.newPassword).toHaveBeenCalled();
+      expect(mocks.crypto.randomBytesAsText).toHaveBeenCalled();
       expect(mocks.crypto.hashSha256).toHaveBeenCalled();
     });
 
diff --git a/server/src/services/api-key.service.ts b/server/src/services/api-key.service.ts
index 33861d82c..49d4183b0 100644
--- a/server/src/services/api-key.service.ts
+++ b/server/src/services/api-key.service.ts
@@ -9,20 +9,21 @@ import { isGranted } from 'src/utils/access';
 @Injectable()
 export class ApiKeyService extends BaseService {
   async create(auth: AuthDto, dto: APIKeyCreateDto): Promise<APIKeyCreateResponseDto> {
-    const secret = this.cryptoRepository.newPassword(32);
+    const token = this.cryptoRepository.randomBytesAsText(32);
+    const tokenHashed = this.cryptoRepository.hashSha256(token);
 
     if (auth.apiKey && !isGranted({ requested: dto.permissions, current: auth.apiKey.permissions })) {
       throw new BadRequestException('Cannot grant permissions you do not have');
     }
 
     const entity = await this.apiKeyRepository.create({
-      key: this.cryptoRepository.hashSha256(secret),
+      key: tokenHashed,
       name: dto.name || 'API Key',
       userId: auth.user.id,
       permissions: dto.permissions,
     });
 
-    return { secret, apiKey: this.map(entity) };
+    return { secret: token, apiKey: this.map(entity) };
   }
 
   async update(auth: AuthDto, id: string, dto: APIKeyUpdateDto): Promise<APIKeyResponseDto> {
diff --git a/server/src/services/auth.service.ts b/server/src/services/auth.service.ts
index 496c25264..7bda2eeb9 100644
--- a/server/src/services/auth.service.ts
+++ b/server/src/services/auth.service.ts
@@ -492,17 +492,17 @@ export class AuthService extends BaseService {
   }
 
   private async createLoginResponse(user: UserAdmin, loginDetails: LoginDetails) {
-    const key = this.cryptoRepository.newPassword(32);
-    const token = this.cryptoRepository.hashSha256(key);
+    const token = this.cryptoRepository.randomBytesAsText(32);
+    const tokenHashed = this.cryptoRepository.hashSha256(token);
 
     await this.sessionRepository.create({
-      token,
+      token: tokenHashed,
       deviceOS: loginDetails.deviceOS,
       deviceType: loginDetails.deviceType,
       userId: user.id,
     });
 
-    return mapLoginResponse(user, key);
+    return mapLoginResponse(user, token);
   }
 
   private getClaim<T>(profile: OAuthProfile, options: ClaimOptions<T>): T {
diff --git a/server/src/services/cli.service.ts b/server/src/services/cli.service.ts
index 87e004845..f6173c69f 100644
--- a/server/src/services/cli.service.ts
+++ b/server/src/services/cli.service.ts
@@ -17,7 +17,7 @@ export class CliService extends BaseService {
     }
 
     const providedPassword = await ask(mapUserAdmin(admin));
-    const password = providedPassword || this.cryptoRepository.newPassword(24);
+    const password = providedPassword || this.cryptoRepository.randomBytesAsText(24);
     const hashedPassword = await this.cryptoRepository.hashBcrypt(password, SALT_ROUNDS);
 
     await this.userRepository.update(admin.id, { password: hashedPassword });
diff --git a/server/src/services/session.service.spec.ts b/server/src/services/session.service.spec.ts
index 6e26b2640..7ac338da8 100644
--- a/server/src/services/session.service.spec.ts
+++ b/server/src/services/session.service.spec.ts
@@ -17,30 +17,9 @@ describe('SessionService', () => {
   });
 
   describe('handleCleanup', () => {
-    it('should return skipped if nothing is to be deleted', async () => {
-      mocks.session.search.mockResolvedValue([]);
-      await expect(sut.handleCleanup()).resolves.toEqual(JobStatus.SKIPPED);
-      expect(mocks.session.search).toHaveBeenCalled();
-    });
-
-    it('should delete sessions', async () => {
-      mocks.session.search.mockResolvedValue([
-        {
-          createdAt: new Date('1970-01-01T00:00:00.00Z'),
-          updatedAt: new Date('1970-01-02T00:00:00.00Z'),
-          deviceOS: '',
-          deviceType: '',
-          id: '123',
-          token: '420',
-          userId: '42',
-          updateId: 'uuid-v7',
-          pinExpiresAt: null,
-        },
-      ]);
-      mocks.session.delete.mockResolvedValue();
-
+    it('should clean sessions', async () => {
+      mocks.session.cleanup.mockResolvedValue([]);
       await expect(sut.handleCleanup()).resolves.toEqual(JobStatus.SUCCESS);
-      expect(mocks.session.delete).toHaveBeenCalledWith('123');
     });
   });
 
diff --git a/server/src/services/session.service.ts b/server/src/services/session.service.ts
index 6b0632cd4..9f49cda07 100644
--- a/server/src/services/session.service.ts
+++ b/server/src/services/session.service.ts
@@ -1,8 +1,8 @@
-import { Injectable } from '@nestjs/common';
+import { BadRequestException, Injectable } from '@nestjs/common';
 import { DateTime } from 'luxon';
 import { OnJob } from 'src/decorators';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { SessionResponseDto, mapSession } from 'src/dtos/session.dto';
+import { SessionCreateDto, SessionCreateResponseDto, SessionResponseDto, mapSession } from 'src/dtos/session.dto';
 import { JobName, JobStatus, Permission, QueueName } from 'src/enum';
 import { BaseService } from 'src/services/base.service';
 
@@ -10,16 +10,8 @@ import { BaseService } from 'src/services/base.service';
 export class SessionService extends BaseService {
   @OnJob({ name: JobName.CLEAN_OLD_SESSION_TOKENS, queue: QueueName.BACKGROUND_TASK })
   async handleCleanup(): Promise<JobStatus> {
-    const sessions = await this.sessionRepository.search({
-      updatedBefore: DateTime.now().minus({ days: 90 }).toJSDate(),
-    });
-
-    if (sessions.length === 0) {
-      return JobStatus.SKIPPED;
-    }
-
+    const sessions = await this.sessionRepository.cleanup();
     for (const session of sessions) {
-      await this.sessionRepository.delete(session.id);
       this.logger.verbose(`Deleted expired session token: ${session.deviceOS}/${session.deviceType}`);
     }
 
@@ -28,6 +20,25 @@ export class SessionService extends BaseService {
     return JobStatus.SUCCESS;
   }
 
+  async create(auth: AuthDto, dto: SessionCreateDto): Promise<SessionCreateResponseDto> {
+    if (!auth.session) {
+      throw new BadRequestException('This endpoint can only be used with a session token');
+    }
+
+    const token = this.cryptoRepository.randomBytesAsText(32);
+    const tokenHashed = this.cryptoRepository.hashSha256(token);
+    const session = await this.sessionRepository.create({
+      parentId: auth.session.id,
+      userId: auth.user.id,
+      expiredAt: dto.duration ? DateTime.now().plus({ seconds: dto.duration }).toJSDate() : null,
+      deviceType: dto.deviceType,
+      deviceOS: dto.deviceOS,
+      token: tokenHashed,
+    });
+
+    return { ...mapSession(session), token };
+  }
+
   async getAll(auth: AuthDto): Promise<SessionResponseDto[]> {
     const sessions = await this.sessionRepository.getByUserId(auth.user.id);
     return sessions.map((session) => mapSession(session, auth.session?.id));
diff --git a/server/test/repositories/crypto.repository.mock.ts b/server/test/repositories/crypto.repository.mock.ts
index 9d32a8898..1167923c0 100644
--- a/server/test/repositories/crypto.repository.mock.ts
+++ b/server/test/repositories/crypto.repository.mock.ts
@@ -12,6 +12,6 @@ export const newCryptoRepositoryMock = (): Mocked<RepositoryInterface<CryptoRepo
     verifySha256: vitest.fn().mockImplementation(() => true),
     hashSha1: vitest.fn().mockImplementation((input) => Buffer.from(`${input.toString()} (hashed)`)),
     hashFile: vitest.fn().mockImplementation((input) => `${input} (file-hashed)`),
-    newPassword: vitest.fn().mockReturnValue(Buffer.from('random-bytes').toString('base64')),
+    randomBytesAsText: vitest.fn().mockReturnValue(Buffer.from('random-bytes').toString('base64')),
   };
 };
diff --git a/server/test/small.factory.ts b/server/test/small.factory.ts
index 01091854f..231deeba8 100644
--- a/server/test/small.factory.ts
+++ b/server/test/small.factory.ts
@@ -126,6 +126,8 @@ const sessionFactory = (session: Partial<Session> = {}) => ({
   deviceOS: 'android',
   deviceType: 'mobile',
   token: 'abc123',
+  parentId: null,
+  expiredAt: null,
   userId: newUuid(),
   pinExpiresAt: newDate(),
   ...session,
diff --git a/web/src/lib/components/user-settings-page/device-card.svelte b/web/src/lib/components/user-settings-page/device-card.svelte
index ad0b62192..47636fe4b 100644
--- a/web/src/lib/components/user-settings-page/device-card.svelte
+++ b/web/src/lib/components/user-settings-page/device-card.svelte
@@ -7,6 +7,7 @@
     mdiAndroid,
     mdiApple,
     mdiAppleSafari,
+    mdiCast,
     mdiGoogleChrome,
     mdiHelp,
     mdiLinux,
@@ -46,6 +47,8 @@
       <Icon path={mdiUbuntu} size="40" />
     {:else if device.deviceOS === 'Chrome OS' || device.deviceType === 'Chrome' || device.deviceType === 'Chromium' || device.deviceType === 'Mobile Chrome'}
       <Icon path={mdiGoogleChrome} size="40" />
+    {:else if device.deviceOS === 'Google Cast'}
+      <Icon path={mdiCast} size="40" />
     {:else}
       <Icon path={mdiHelp} size="40" />
     {/if}