feat: session deletion

[cabaucom376]

Implements a simple button on a session profile to delete the session record and remove its associated data.

closes: #2940

Delete Session Flow

1. Beginning state

2. Trigger delete

3. Confirm deletion

4. Result

[vercel]

@cabaucom376 is attempting to deploy a commit to the Umami Software Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

Greptile Summary

This PR implements session deletion, adding a DELETE API endpoint backed by a Prisma transaction that cascades through all related tables (SessionReplaySaved, SessionReplay, Revenue, EventData, WebsiteEvent, SessionData, and finally Session), plus a confirmation UI in SessionProfile gated by an allowDelete prop.

All three security concerns raised in previous review rounds have been addressed: the ClickHouse guard now runs after the permission check, the final session.deleteMany includes the websiteId constraint, and a findSession(websiteId, sessionId) ownership check was added before deletion.

Confidence Score: 5/5

Safe to merge — all prior security findings are resolved and no new issues found.

All three previously flagged security issues (ClickHouse guard order, missing websiteId constraint, and missing ownership check) have been corrected. The transaction correctly cascades deletes across every related table in the right order, the route handler enforces auth before any logic, and the UI properly hides the delete button on share pages.

No files require special attention.

Important Files Changed

Filename	Overview
src/app/api/websites/[websiteId]/sessions/[sessionId]/route.ts	Adds DELETE handler with correct ordering: auth → permission check → ClickHouse guard → ownership verification via findSession → deletion. All three prior security concerns are resolved.
src/queries/prisma/session.ts	New findSession and deleteSession functions; transaction correctly cascades through all related tables (SessionReplaySaved, SessionReplay, Revenue, EventData, WebsiteEvent, SessionData) and final delete uses both id and websiteId constraints.
src/app/(main)/websites/[websiteId]/sessions/SessionProfile.tsx	Adds delete UI behind allowDelete prop with a confirmation dialog; uses useDeleteQuery hook and invalidates session cache on success. Clean implementation following existing patterns.
src/app/(main)/websites/[websiteId]/sessions/SessionModal.tsx	Passes allowDelete={!isSharePage} to SessionProfile, correctly disabling delete on share pages.
src/app/(main)/websites/[websiteId]/sessions/[sessionId]/page.tsx	Adds onDelete callback to redirect back to the sessions list after deletion; straightforward and correct.
src/queries/prisma/index.ts	Adds re-export for the new session module.

Sequence Diagram

sequenceDiagram
    participant User
    participant UI as SessionProfile
    participant API as Route Handler
    participant DB as Prisma Transaction

    User->>UI: Click trash, confirm dialog
    UI->>API: DELETE request with websiteId + sessionId
    API->>API: parseRequest auth
    API->>API: canDeleteWebsite check
    Note over API: returns 401 if not authorized
    API->>API: CLICKHOUSE_URL check
    Note over API: returns 400 if ClickHouse
    API->>DB: findSession(websiteId, sessionId)
    Note over DB: returns 404 if not found
    API->>DB: deleteSession in transaction
    DB->>DB: delete SessionReplaySaved by visitId
    DB->>DB: delete SessionReplay
    DB->>DB: delete Revenue
    DB->>DB: delete EventData by eventId
    DB->>DB: delete WebsiteEvent
    DB->>DB: delete SessionData
    DB->>DB: delete Session (id + websiteId)
    API-->>UI: 200 OK
    UI->>UI: invalidate cache, close, redirect

Loading

_{Reviews (3): Last reviewed commit: "clean" | Re-trigger Greptile}

[cabaucom376]

@greptileai

[cabaucom376]

@greptileai

[cabaucom376]

@mikecao @franciscao633 what would you guys like to see from this to get it merged?