FEATURE: Limit the number of active sessions for a user (#8411)

If a user has more than 60 active sessions, the oldest sessions will be terminated automatically. This protects performance when logging in and when loading the list of recently used devices.

app/models/user_auth_token.rb

@@ -8,6 +8,8 @@ class UserAuthToken < ActiveRecord::Base
   # used when token did not arrive at client
   URGENT_ROTATE_TIME = 1.minute
 
+  MAX_SESSION_COUNT = 60
+
   USER_ACTIONS = ['generate']
 
   attr_accessor :unhashed_auth_token
@@ -220,6 +222,14 @@ class UserAuthToken < ActiveRecord::Base
     end
 
   end
+
+  def self.enforce_session_count_limit!(user_id)
+    tokens_to_destroy = where(user_id: user_id).
+      where('rotated_at > ?', SiteSetting.maximum_session_age.hours.ago).
+      order("rotated_at DESC").offset(MAX_SESSION_COUNT)
+
+    tokens_to_destroy.delete_all # Returns the number of deleted rows
+  end
 end
 
 # == Schema Information