I don't think we should be deactivating / updating records in a boolean method like this. It should just be returning true / false without any side effects.

The purpose of allow_limitable_authentication? is to:

1. If session_traceable module is not included then it will always be true.
2. If didn't matched to 1 and number of sessions is still within the allowable number of session then it will allow authentication.
3. If didn't matched to 2 and will only reject authentication on limit then it will try to remove any expired session to accomodate new authentication using deactivate_timeout_sessions!.
4. If didn't matched to 3 (which reject authentication is disabled) then it will expire the oldest session regardless if its already expired.
5. If didn't matched to 4 then disallow authentication.

Steps 3-5 don't feel like they belong in this method - boolean methods should only be returning true / false based on whatever logic you're adding. Steps 1-2 seem fine and what this method should be used for.

Having a little trouble following here - what is the return of session_traceable_adapter and what are you doing with find_all?

session_traceable_adapter will always be the session_history_class ORM compatible on session_traceable module. It will count the number of active sessions to check whether it is already on its maximum allowable number of sessions.

Unclear to me why we can't just use SessionHistory.

Should indicate the allow_limitable_authentication? part as well.

Thoughts on making these update / expire methods bang methods?

Can you elaborate on why you added this? It adds a lot of complexity and I'm not sure what benefit it gives.

Seems like you should have a presence check like you have for expire_session_token.

Reading through this again, this feels separate from the SessionTraceable module you're adding.

If this is the case, it feels like it would be better as a separate PR.

If this is not the case, please let me know.

This changes will allow to maintain the original logic of session_limitable which only allow 1 session at a time when session_traceable module but when session_traceable is added then it add flexibility on session limitable to customize maximum sessions per user and allowing session to expire. On scenarios that a user already hit the limit then its either reject authentication or expire the oldest session.

Given that this is supposed to be a history record, it seems like it would be more granular to create a new record each time the session was accessed instead of having one record for the session with last_accessed_at being updated.

If we create a session history every time a user is fetch (on warden.authenticate or on devise current_user) then it will create a lot of session histories. Let's say in a single session of a user every time rails controller is hit, a history which likely in a single session it will be thousand of requests.

The main purpose of last_accessed_at is to track when the specific session (which track using token) is being used. The data relationship will always be a user has many sessions and last activity is tracked.

Why do we need to have session_traceable turned on before allowing more than 1 active session?

Unclear to me why we can't just use SessionHistory.

Steps 3-5 don't feel like they belong in this method - boolean methods should only be returning true / false based on whatever logic you're adding. Steps 1-2 seem fine and what this method should be used for.