From 77c5335955fdae041867b1f0e5a3f4f9ffe3467b Mon Sep 17 00:00:00 2001
From: saridsa2 <s.satya.suman@globaluniversityfoundation.com>
Date: Mon, 23 Mar 2026 21:44:56 +0530
Subject: [PATCH] =?UTF-8?q?fix:=20strict=20duplicate=20login=20lockout=20?=
 =?UTF-8?q?=E2=80=94=20one=20device=20per=20agent?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Block any login attempt when a session exists, regardless of user identity.
Same user on second device is blocked until logout or TTL expiry.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/auth/auth.controller.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/auth/auth.controller.ts b/src/auth/auth.controller.ts
index eff3f53..ba5837d 100644
--- a/src/auth/auth.controller.ts
+++ b/src/auth/auth.controller.ts
@@ -127,9 +127,9 @@ export class AuthController {
                     throw new HttpException('Agent account not configured. Contact administrator.', 403);
                 }
 
-                // Check for duplicate login
+                // Check for duplicate login — strict: one device only
                 const existingSession = await this.sessionService.isSessionLocked(agentConfig.ozonetelAgentId);
-                if (existingSession && existingSession !== memberId) {
+                if (existingSession) {
                     throw new HttpException('You are already logged in on another device. Please log out there first.', 409);
                 }