sessions 0.1.0

data/app/controllers/sessions/application_controller.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+module Sessions
+  # Base controller for the devices page. It inherits from the HOST's
+  # controller (config.parent_controller, "::ApplicationController" by
+  # default) so the host's layout, helpers, auth filters, locale switching
+  # and exception handling all apply for free — the same integration style
+  # as Devise, api_keys and chats.
+  #
+  # Authentication is a CHAIN, so both stacks work with zero configuration:
+  #
+  #   - Devise hosts: `config.authenticate_method` (:authenticate_user! by
+  #     default) exists and runs.
+  #   - Rails 8 omakase hosts: the inherited Authentication concern already
+  #     registered `before_action :require_authentication` on the parent —
+  #     parent callbacks run before ours, so anonymous visitors were
+  #     redirected before this controller does anything.
+  #   - Anything else: the final guard 404s rather than leaking the page.
+  #
+  # NOTE: the superclass is resolved when this class is autoloaded, which in
+  # a booted app happens AFTER initializers — so `config.parent_controller`
+  # set in config/initializers/sessions.rb is honored, and in development
+  # the class reloads pick up config changes too.
+  class ApplicationController < Sessions.config.parent_controller.constantize
+    # The omakase Authentication concern's `request_authentication` redirects
+    # with `new_session_path` — a HOST route helper, which named-helper
+    # dispatch resolves against the ENGINE's routes from in here (helpers
+    # call the receiver's url_for → the engine's _routes) and explodes. We
+    # skip the inherited filter and re-enforce the exact same behavior
+    # engine-safely in sessions_authenticate! below (raise: false makes this
+    # a no-op on Devise and custom stacks that don't have the filter).
+    skip_before_action :require_authentication, raise: false
+
+    before_action :sessions_authenticate!
+
+    helper Sessions::EngineHelper
+    helper_method :sessions_current_user, :sessions_current_session
+
+    # nil falls through to the parent controller's regular layout
+    # resolution, so by default the page looks like the rest of the host.
+    layout :sessions_layout
+
+    private
+
+    # The host's auth filters run INSIDE this engine controller (that's the
+    # whole point of the parent_controller inheritance) — and they reference
+    # the host's OWN route helpers (`new_session_path` in the omakase
+    # concern, custom redirects in hand-rolled filters), which an isolated
+    # engine can't resolve. Delegate unknown URL helpers to main_app so the
+    # host's code works here unmodified — the standard engine idiom.
+    def method_missing(method, *args, &block)
+      if method.to_s.end_with?("_path", "_url") && main_app.respond_to?(method)
+        main_app.public_send(method, *args, &block)
+      else
+        super
+      end
+    end
+
+    def respond_to_missing?(method, include_private = false)
+      (method.to_s.end_with?("_path", "_url") && main_app.respond_to?(method)) || super
+    end
+
+    # The signed-in user, via the resolver chain: configured method →
+    # :current_user → ::Current.session&.user (the omakase shape).
+    def sessions_current_user
+      @sessions_current_user ||= sessions_resolve_user
+    end
+
+    # The registry row serving THIS request — the row the page badges as
+    # "this device" and refuses to revoke.
+    def sessions_current_session
+      @sessions_current_session ||= Sessions.current(request)
+    end
+
+    def sessions_resolve_user
+      configured = Sessions.config.current_user_method
+      return send(configured) if configured && respond_to?(configured, true)
+      return current_user if respond_to?(:current_user, true)
+
+      ::Current.try(:session)&.user if defined?(::Current)
+    end
+
+    def sessions_authenticate!
+      method = Sessions.config.authenticate_method
+      if method && respond_to?(method, true)
+        # Devise hosts (and anything that defines the configured filter).
+        send(method)
+        return if performed?
+      elsif respond_to?(:resume_session, true)
+        # Omakase hosts: the same require_authentication contract as the
+        # generated concern, with the login redirect generated through
+        # main_app (engine-safe).
+        unless resume_session
+          session[:return_to_after_authenticating] = request.url
+          return redirect_to main_app.new_session_path if main_app.respond_to?(:new_session_path)
+
+          head :not_found
+          return
+        end
+      end
+
+      # Privacy default: a host where no user resolves gets a plain 404 —
+      # the page's existence never leaks to the unauthenticated.
+      head :not_found unless sessions_current_user
+    end
+
+    def sessions_layout
+      Sessions.config.layout
+    end
+
+    # The optional sudo gate (ASVS 3.3.4's "having re-entered login
+    # credentials"). The host's proc receives the controller; the action
+    # proceeds ONLY when the gate returns truthy without rendering:
+    #
+    #   - render/redirect inside the gate → blocked (your confirm flow owns
+    #     the response)
+    #   - return false/nil → blocked; if the gate rendered nothing, we
+    #     answer 403 so a falsy gate can never fall through to the
+    #     destructive action (a sudo gate fails CLOSED)
+    #   - return truthy → allowed
+    def sessions_reauthenticate!
+      gate = Sessions.config.require_reauthentication
+      return true unless gate
+
+      allowed = gate.call(self)
+      return false if performed?
+
+      head :forbidden unless allowed
+      !!allowed
+    end
+
+    # Every query goes through the OWNER's sessions — you can never touch a
+    # row you don't own, even if the host's mount is misconfigured.
+    def sessions_owner_sessions
+      user = sessions_current_user
+      if user.respond_to?(:sessions)
+        user.sessions
+      else
+        Sessions.session_model.where(user: user)
+      end
+    end
+
+    # The user's slice of the trail INCLUDING failed attempts against their
+    # own identity (failures never link to an account — enumeration safety —
+    # but showing a signed-in user the attempts typed against their own
+    # email is exactly what a security page is for).
+    def sessions_owner_events
+      user = sessions_current_user
+      return user.session_history if user.respond_to?(:session_history)
+
+      # Hosts without has_sessions on the resolved user get the same slice
+      # inline: owned events plus identity-matched failures.
+      scope = Sessions::Event.where(authenticatable: user)
+      identity = Sessions::Event.normalize_identity(user.try(:email_address) || user.try(:email))
+      scope = scope.or(Sessions::Event.where(identity: identity)) if identity
+      scope
+    end
+  end
+end

data/app/controllers/sessions/devices_controller.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Sessions
+  # The "Your devices" page: list, revoke one, sign out everywhere else,
+  # and the login history. Deliberately trivial — if you need custom
+  # controller behavior, render the partials from your own controller
+  # instead (the README's Layer 1).
+  class DevicesController < ApplicationController
+    # Current session always first (and never revocable from this page —
+    # signing out the device you're on is the app's normal logout).
+    def index
+      @sessions = sessions_owner_sessions.by_recency.to_a
+      if (current = @sessions.find { |session| session == sessions_current_session })
+        @sessions.delete(current)
+        @sessions.unshift(current)
+      end
+      @events = sessions_owner_events.recent.limit(10)
+    end
+
+    def history
+      @events = sessions_owner_events.recent.limit(200)
+    end
+
+    def destroy
+      return unless sessions_reauthenticate!
+
+      session_row = sessions_owner_sessions.find(params[:id])
+
+      if session_row.current?(request)
+        redirect_to devices_path, alert: t("sessions.devices.cannot_revoke_current")
+        return
+      end
+
+      session_row.revoke!(reason: :user_revoked, by: sessions_current_user)
+      redirect_to devices_path, notice: t("sessions.devices.revoked"), status: :see_other
+    end
+
+    def others
+      return unless sessions_reauthenticate!
+
+      sessions_current_user.revoke_other_sessions!(
+        current: sessions_current_session,
+        by: sessions_current_user
+      )
+      redirect_to devices_path, notice: t("sessions.devices.revoked_others"), status: :see_other
+    end
+  end
+end

data/app/helpers/sessions/engine_helper.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+module Sessions
+  # View helpers for the devices page (and for the host-renderable
+  # partials).
+  module EngineHelper
+    DEVICE_ICONS = {
+      "desktop" => "🖥",
+      "smartphone" => "📱",
+      "tablet" => "📱",
+      "native_ios" => "📱",
+      "native_android" => "📱",
+      "bot" => "🤖"
+    }.freeze
+
+    # Semantic icon names (Heroicons vocabulary — map them onto whatever
+    # icon helper your app uses) so custom views don't re-derive the
+    # device_type → icon mapping the gem already knows.
+    DEVICE_ICON_NAMES = {
+      "desktop" => "computer-desktop",
+      "smartphone" => "device-phone-mobile",
+      "tablet" => "device-tablet",
+      "native_ios" => "device-phone-mobile",
+      "native_android" => "device-phone-mobile",
+      "bot" => "bug-ant"
+    }.freeze
+
+    EVENT_ICON_NAMES = {
+      "login" => "check-circle",
+      "failed_login" => "x-circle",
+      "logout" => "arrow-right-on-rectangle",
+      "revoked" => "no-symbol",
+      "expired" => "clock"
+    }.freeze
+
+    def sessions_device_icon(session)
+      DEVICE_ICONS.fetch(session.device_type.to_s, "🌐")
+    end
+
+    def sessions_device_icon_name(session)
+      DEVICE_ICON_NAMES.fetch(session.device_type.to_s, "globe-alt")
+    end
+
+    def sessions_event_icon_name(event)
+      EVENT_ICON_NAMES.fetch(event.event.to_s, "information-circle")
+    end
+
+    # "Active now" within the touch window, else "Active 3 minutes ago".
+    def sessions_last_active_in_words(session)
+      # active_now? owns the window (config.touch_every) — the badge can't
+      # honestly claim more freshness than the throttle records.
+      return t("sessions.devices.active_now") if session.respond_to?(:active_now?) && session.active_now?
+
+      time = session.last_active_at
+      return nil unless time
+
+      t("sessions.devices.active_ago", time: time_ago_in_words(time))
+    end
+
+    # The engine's route proxy when it's mounted, nil otherwise — partials
+    # rendered inside a host that didn't mount the engine simply omit the
+    # revoke buttons. The proxy method is named after the mount (`sessions`
+    # by default, or whatever `as:` was given), so it's DISCOVERED from the
+    # host's named routes rather than assumed.
+    def sessions_engine_routes
+      name = Sessions::EngineHelper.engine_mount_name
+      name && respond_to?(name) ? public_send(name) : nil
+    end
+
+    # The name of the route that mounts Sessions::Engine in the host app
+    # ("sessions" for a plain mount, the `as:` value otherwise). Memoized
+    # per-process; in development a changed mount name reloads routes and
+    # to_prepare re-touches this helper file, clearing the memo.
+    def self.engine_mount_name
+      return @engine_mount_name if defined?(@engine_mount_name)
+
+      @engine_mount_name = begin
+        route = Rails.application.routes.routes.find do |candidate|
+          # The mount sits behind a Constraints wrapper; unwrap a bounded
+          # number of times, checking BEFORE each unwrap — Rails::Engine
+          # itself responds to #app (its middleware stack), so an unguarded
+          # `while app.respond_to?(:app)` would walk straight past it.
+          app = candidate.app
+          matched = false
+          3.times do
+            matched = (app == Sessions::Engine)
+            break if matched || !app.respond_to?(:app)
+
+            app = app.app
+          end
+          matched
+        end
+        route&.name
+      rescue StandardError
+        nil
+      end
+    end
+
+    def self.reset_engine_mount_name!
+      remove_instance_variable(:@engine_mount_name) if defined?(@engine_mount_name)
+    end
+
+    # "Signed in May 2, 2026" — localized when the host bundles date
+    # formats (rails-i18n or its own locale files), with a safe fallback so
+    # a bare host never 500s over a missing `date.formats.long`.
+    def sessions_format_date(date)
+      I18n.l(date, format: :long)
+    rescue I18n::MissingTranslationData, I18n::ArgumentError
+      date.strftime("%Y-%m-%d")
+    end
+
+    def sessions_format_time(time)
+      I18n.l(time, format: :short)
+    rescue I18n::MissingTranslationData, I18n::ArgumentError
+      time.strftime("%Y-%m-%d %H:%M")
+    end
+  end
+end
+
+# Expose the helpers to the HOST's views too, so the Layer-1 partials
+# (`render "sessions/devices"`) work outside the engine. Registered at the
+# bottom of this file (not from an engine initializer) so the hook is
+# self-resolving on hosts where ActionView loads early — the engine's
+# to_prepare touches this constant to guarantee the file loads every boot
+# (the moderate/chats-proven pattern).
+ActiveSupport.on_load(:action_view) { include Sessions::EngineHelper }

data/app/views/sessions/_device.html.erb

@@ -0,0 +1,40 @@
+<%# One device row. Locals: session, current_session, routes (engine proxy or nil). %>
+<% current = session == current_session %>
+<li class="sessions-device <%= "sessions-device-current" if current %>">
+  <span class="sessions-device-icon"><%= sessions_device_icon(session) %></span>
+
+  <div class="sessions-device-info">
+    <p class="sessions-device-name">
+      <%= session.device_name %>
+      <%# Auth method as a subtle pill — only when it says something a user
+          cares about (their OAuth provider, a passkey…). "password" is the
+          default and stays silent. %>
+      <% if session.auth_method_label && !session.via_password? %>
+        <span class="sessions-method-pill"><%= session.auth_method_label %></span>
+      <% end %>
+    </p>
+    <p class="sessions-device-meta">
+      <% if session.location %>
+        <span class="sessions-device-location" title="<%= t("sessions.devices.location_approximate") %>">
+          <%= [session.country_flag, session.location].compact.join(" ") %>
+        </span> ·
+      <% end %>
+      <span class="sessions-device-seen"><%= sessions_last_active_in_words(session) %></span>
+      <% if session.created_at %>
+        · <span class="sessions-device-signed-in"><%= t("sessions.devices.signed_in", date: sessions_format_date(session.created_at.to_date)) %></span>
+      <% end %>
+    </p>
+  </div>
+
+  <%# The action slot: the current session's badge sits where other rows
+      show their Log out button — one consistent right-aligned column. %>
+  <% if current %>
+    <span class="sessions-badge"><%= t("sessions.devices.this_device") %></span>
+  <% elsif routes %>
+    <%= button_to t("sessions.devices.log_out"),
+                  routes.device_path(session),
+                  method: :delete,
+                  class: "sessions-button sessions-button-revoke",
+                  form: { data: { turbo_confirm: t("sessions.devices.log_out_confirm") } } %>
+  <% end %>
+</li>

data/app/views/sessions/_devices.html.erb

@@ -0,0 +1,34 @@
+<%# The live device registry — renderable from the engine OR straight from %>
+<%# any host view: render "sessions/devices", user: current_user           %>
+<%# Locals:                                                                 %>
+<%#   sessions:        the rows to render (defaults to user.sessions)       %>
+<%#   user:            whose devices (only needed when sessions: isn't given)%>
+<%#   current_session: the row serving this request (badged, not revocable) %>
+<%
+  current_session = local_assigns[:current_session] || Sessions.current(request)
+  sessions = local_assigns[:sessions] ||
+             local_assigns[:user]&.sessions&.by_recency&.to_a ||
+             []
+  routes = sessions_engine_routes if respond_to?(:sessions_engine_routes)
+%>
+<section class="sessions-devices">
+  <% if sessions.empty? %>
+    <p class="sessions-empty"><%= t("sessions.devices.empty") %></p>
+  <% else %>
+    <ul class="sessions-device-list">
+      <% sessions.each do |session| %>
+        <%= render "sessions/device", session: session, current_session: current_session, routes: routes %>
+      <% end %>
+    </ul>
+
+    <% if routes && sessions.many? %>
+      <div class="sessions-revoke-others">
+        <%= button_to t("sessions.devices.sign_out_others"),
+                      routes.others_devices_path,
+                      method: :delete,
+                      class: "sessions-button sessions-button-secondary",
+                      form: { data: { turbo_confirm: t("sessions.devices.sign_out_others_confirm") } } %>
+      </div>
+    <% end %>
+  <% end %>
+</section>

data/app/views/sessions/_event.html.erb

@@ -0,0 +1,13 @@
+<%# One trail row. Local: event. %>
+<li class="sessions-event sessions-event-<%= event.event %>">
+  <span class="sessions-event-icon">
+    <%= { "login" => "✓", "failed_login" => "✗", "logout" => "→", "revoked" => "⊘", "expired" => "⏱" }.fetch(event.event, "·") %>
+  </span>
+  <span class="sessions-event-label">
+    <%= t("sessions.history.events.#{event.event}", default: event.event.humanize) %><% if event.failure? && event.failure_reason.present? %> <span class="sessions-event-reason">(<%= t("sessions.history.reasons.#{event.failure_reason}", default: event.failure_reason.humanize.downcase) %>)</span><% end %><% if event.event == "revoked" && event.revoked_reason.present? %> <span class="sessions-event-reason">(<%= t("sessions.history.reasons.#{event.revoked_reason}", default: event.revoked_reason.humanize.downcase) %>)</span><% end %>
+  </span>
+  <% device = [event.browser_name, event.app_name].compact.first %>
+  <% if device %> · <span class="sessions-event-device"><%= device %><%= " #{t("sessions.history.on")} #{event.os_name}" if event.os_name %></span><% end %>
+  <% if event.location %> · <span class="sessions-event-location"><%= event.location %></span><% end %>
+  <% if event.occurred_at %> · <time class="sessions-event-time" datetime="<%= event.occurred_at.iso8601 %>"><%= sessions_format_time(event.occurred_at) %></time><% end %>
+</li>

data/app/views/sessions/_history.html.erb

@@ -0,0 +1,20 @@
+<%# The login-activity trail — renderable from any host view too:          %>
+<%#   render "sessions/history", user: current_user, limit: 10              %>
+<%# Locals:                                                                 %>
+<%#   events: the trail rows (defaults to user.session_events.recent)       %>
+<%#   user:   whose history (only needed when events: isn't given)          %>
+<%#   limit:  cap when deriving from user (default 10)                      %>
+<%
+  events = local_assigns[:events] ||
+           local_assigns[:user]&.session_events&.recent&.limit(local_assigns.fetch(:limit, 10)) ||
+           []
+%>
+<% if events.respond_to?(:empty?) && events.empty? %>
+  <p class="sessions-empty"><%= t("sessions.history.empty") %></p>
+<% else %>
+  <ul class="sessions-event-list">
+    <% events.each do |event| %>
+      <%= render "sessions/event", event: event %>
+    <% end %>
+  </ul>
+<% end %>

data/app/views/sessions/devices/history.html.erb

@@ -0,0 +1,5 @@
+<div class="sessions-page">
+  <h1 class="sessions-title"><%= t("sessions.history.title") %></h1>
+  <%= render "sessions/history", events: @events %>
+  <p><%= link_to t("sessions.history.back_to_devices"), devices_path, class: "sessions-history-link" %></p>
+</div>

data/app/views/sessions/devices/index.html.erb

@@ -0,0 +1,15 @@
+<%# The "Your devices" page — the GitHub/Google contract: device label, %>
+<%# approximate location, last active, per-row revoke, sign out everywhere. %>
+<div class="sessions-page">
+  <h1 class="sessions-title"><%= t("sessions.devices.title") %></h1>
+
+  <%= render "sessions/devices", sessions: @sessions, current_session: sessions_current_session %>
+
+  <section class="sessions-history">
+    <header class="sessions-history-header">
+      <h2 class="sessions-subtitle"><%= t("sessions.history.title") %></h2>
+      <%= link_to t("sessions.history.see_all"), history_devices_path, class: "sessions-history-link" %>
+    </header>
+    <%= render "sessions/history", events: @events %>
+  </section>
+</div>

data/config/locales/en.yml

@@ -0,0 +1,59 @@
+en:
+  sessions:
+    devices:
+      title: "Your devices"
+      empty: "No active sessions."
+      this_device: "This device"
+      log_out: "Log out"
+      log_out_confirm: "Log this device out?"
+      sign_out_others: "Sign out of all sessions except this one"
+      sign_out_others_confirm: "You'll stay signed in here, and signed out everywhere else."
+      cannot_revoke_current: "You can't log out the device you're using from here — use your regular sign out."
+      revoked: "Device logged out."
+      revoked_others: "Signed out of all other sessions."
+      location_approximate: "Approximate location, based on IP address"
+      active_now: "Active now"
+      active_ago: "Active %{time} ago"
+      signed_in: "Signed in %{date}"
+      via: "via %{method}"
+    history:
+      title: "Login history"
+      see_all: "See all"
+      back_to_devices: "Back to your devices"
+      empty: "No login activity yet."
+      # Quoted: a bare `on:` is a BOOLEAN key in YAML 1.1.
+      "on": "on"
+      events:
+        login: "Signed in"
+        failed_login: "Failed sign-in attempt"
+        logout: "Signed out"
+        revoked: "Session revoked"
+        expired: "Session expired"
+      reasons:
+        invalid: "wrong credentials"
+        invalid_credentials: "wrong credentials"
+        not_found_in_database: "wrong credentials"
+        rate_limited: "too many attempts"
+        access_denied: "cancelled at provider"
+        authenticity_error: "security check failed"
+        user_revoked: "you logged it out"
+        admin_revoked: "revoked by an administrator"
+        password_change: "password was changed"
+        logout_everywhere: "you signed out everywhere"
+        pruned: "device limit reached"
+        superseded: "replaced by a newer sign-in on this device"
+        expired: "expired"
+        unknown: "session ended"
+    auth_methods:
+      password: "password"
+      oauth: "OAuth"
+      google_one_tap: "Google One Tap"
+      passkey: "passkey"
+      magic_link: "magic link"
+      otp: "one-time code"
+      sso: "SSO"
+      token: "token"
+    device_name:
+      composite: "%{client} on %{platform}"
+      unknown: "Unknown device"
+      bot: "Bot (%{name})"

data/config/locales/es.yml

@@ -0,0 +1,59 @@
+es:
+  sessions:
+    devices:
+      title: "Tus dispositivos"
+      empty: "No hay sesiones activas."
+      this_device: "Este dispositivo"
+      log_out: "Cerrar sesión"
+      log_out_confirm: "¿Cerrar la sesión de este dispositivo?"
+      sign_out_others: "Cerrar todas las sesiones menos esta"
+      sign_out_others_confirm: "Seguirás conectado aquí, y se cerrará la sesión en todos los demás dispositivos."
+      cannot_revoke_current: "No puedes cerrar desde aquí la sesión del dispositivo que estás usando — usa el cierre de sesión normal."
+      revoked: "Sesión cerrada en ese dispositivo."
+      revoked_others: "Sesión cerrada en todos los demás dispositivos."
+      location_approximate: "Ubicación aproximada, según la dirección IP"
+      active_now: "Activo ahora"
+      active_ago: "Activo hace %{time}"
+      signed_in: "Sesión iniciada el %{date}"
+      via: "con %{method}"
+    history:
+      title: "Historial de accesos"
+      see_all: "Ver todo"
+      back_to_devices: "Volver a tus dispositivos"
+      empty: "Aún no hay actividad de acceso."
+      # Entrecomillado: un `on:` a secas es una clave BOOLEANA en YAML 1.1.
+      "on": "en"
+      events:
+        login: "Inicio de sesión"
+        failed_login: "Intento de acceso fallido"
+        logout: "Cierre de sesión"
+        revoked: "Sesión revocada"
+        expired: "Sesión caducada"
+      reasons:
+        invalid: "credenciales incorrectas"
+        invalid_credentials: "credenciales incorrectas"
+        not_found_in_database: "credenciales incorrectas"
+        rate_limited: "demasiados intentos"
+        access_denied: "cancelado en el proveedor"
+        authenticity_error: "falló la comprobación de seguridad"
+        user_revoked: "la cerraste tú"
+        admin_revoked: "revocada por un administrador"
+        password_change: "se cambió la contraseña"
+        logout_everywhere: "cerraste sesión en todas partes"
+        pruned: "límite de dispositivos alcanzado"
+        superseded: "sustituida por un nuevo inicio de sesión en este dispositivo"
+        expired: "caducada"
+        unknown: "sesión finalizada"
+    auth_methods:
+      password: "contraseña"
+      oauth: "OAuth"
+      google_one_tap: "Google One Tap"
+      passkey: "passkey"
+      magic_link: "enlace mágico"
+      otp: "código de un solo uso"
+      sso: "SSO"
+      token: "token"
+    device_name:
+      composite: "%{client} en %{platform}"
+      unknown: "Dispositivo desconocido"
+      bot: "Bot (%{name})"

data/config/routes.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+Sessions::Engine.routes.draw do
+  # `path: ""` keeps URLs short under the host's mount point: with
+  # `mount Sessions::Engine => "/settings/sessions"` the devices page is
+  # /settings/sessions, revoking one is DELETE /settings/sessions/:id,
+  # "sign out everywhere else" is DELETE /settings/sessions/others, and the
+  # full login history is /settings/sessions/history.
+  resources :devices, path: "", only: %i[index destroy] do
+    collection do
+      delete :others
+      get :history
+    end
+  end
+
+  root to: "devices#index"
+end