feat: add routes, lang, tests, stubs, docs, and docker configurations

tests/Feature/System/SessionManagerTest.php

@@ -0,0 +1,106 @@
+<?php
+
+use App\Models\Permission;
+use App\Models\User;
+
+function makeSessionManager(): User
+{
+    $user = User::factory()->create(['is_active' => true]);
+    foreach (['view active sessions', 'manage active sessions'] as $name) {
+        $perm = Permission::firstOrCreate(['name' => $name, 'guard_name' => 'web']);
+        $user->givePermissionTo($perm);
+    }
+
+    return $user;
+}
+
+function makeSessionViewer(): User
+{
+    $user = User::factory()->create(['is_active' => true]);
+    $perm = Permission::firstOrCreate(['name' => 'view active sessions', 'guard_name' => 'web']);
+    $user->givePermissionTo($perm);
+
+    return $user;
+}
+
+// ── Access control ────────────────────────────────────────────────────────────
+
+test('guest cannot access session manager', function () {
+    $this->get('/session-manager')->assertRedirect('/login');
+});
+
+test('user without permission is forbidden from session manager', function () {
+    $user = User::factory()->create();
+
+    $this->actingAs($user)->get('/session-manager')->assertForbidden();
+});
+
+test('user with view permission can access session manager', function () {
+    $user = makeSessionViewer();
+
+    $this->actingAs($user)->get('/session-manager')->assertOk();
+});
+
+test('guest cannot access session stats endpoint', function () {
+    // JSON requests return 401 Unauthorized (not a redirect) for unauthenticated requests
+    $this->getJson('/session-manager/stats')->assertUnauthorized();
+});
+
+test('user with view permission can access session stats', function () {
+    $user = makeSessionViewer();
+
+    $this->actingAs($user)->getJson('/session-manager/stats')
+        ->assertOk()
+        ->assertJsonStructure(['total', 'active']);
+});
+
+// ── Stats structure ────────────────────────────────────────────────────────────
+
+test('stats endpoint returns valid json with total key', function () {
+    $user = makeSessionViewer();
+
+    $this->actingAs($user)
+        ->getJson('/session-manager/stats')
+        ->assertOk()
+        ->assertJsonStructure(['total', 'active']);
+});
+
+// ── Terminate session ─────────────────────────────────────────────────────────
+
+test('user without manage permission cannot terminate a session', function () {
+    $viewer = makeSessionViewer();
+
+    $this->actingAs($viewer)
+        ->deleteJson('/session-manager/some-session-id')
+        ->assertForbidden();
+});
+
+test('manager cannot terminate their own current session', function () {
+    // The controller's destroy() checks: if ($id === session()->getId()) → 403.
+    // We invoke it directly, bypassing HTTP, so the session ID is stable.
+    $manager = makeSessionManager();
+    $this->actingAs($manager);
+
+    $controller = app(\App\Http\Controllers\SystemSettings\SessionManagerController::class);
+    $currentId  = session()->getId();
+
+    $response = $controller->destroy(request(), $currentId);
+
+    expect($response->getStatusCode())->toBe(403);
+    expect(json_decode($response->getContent(), true)['success'])->toBeFalse();
+});
+
+test('manager can terminate a different session id', function () {
+    // With array/redis driver the controller returns success when no row is found to delete.
+    $manager = makeSessionManager();
+
+    $this->actingAs($manager)
+        ->deleteJson('/session-manager/some-other-session-id')
+        ->assertOk()
+        ->assertJsonPath('success', true);
+});
+
+test('guest cannot terminate sessions', function () {
+    // JSON requests return 401 (not a redirect) for unauthenticated requests
+    $this->deleteJson('/session-manager/any-id')->assertUnauthorized();
+});