auth/session_queries.ts

Extend session when it has less than this remaining (1 day in ms).

Session lifetime in milliseconds (30 days).

Generate a cryptographically random session token.

Hash a session token to its storage key using blake3.

Create a new auth session.

Delete expired sessions.

Enforce a per-account session limit by evicting the oldest sessions.

Keeps the newest max_sessions sessions and deletes the rest.

Race safety: this function must run inside a transaction alongside the INSERT that created the new session. All callers satisfy this requirement: - POST /login and POST /tokens/create use the default transaction: true (framework-managed transaction wrapping in apply_route_specs) - POST /bootstrap and POST /signup manage their own transactions and pass the transaction-scoped deps to create_session_and_set_cookie

The transaction ensures the INSERT + enforce_limit pair is atomic — concurrent session creation cannot interleave between the two statements.

Get a session if it exists, is not expired, and has not been revoked.

List all active sessions across all accounts with usernames.

List sessions for an account, newest first.

Revoke all sessions for an account.

Revoke (delete) a session by its token hash.

No account_id constraint — caller must ensure the hash comes from a trusted source (e.g. the authenticated session cookie). For user-facing revocation of a specific session by ID, prefer query_session_revoke_for_account which includes an IDOR guard.

Revoke a session only if it belongs to the specified account.

Prevents cross-account session revocation.

Update last_seen_at and optionally extend expiry for a session.

Extends if less than AUTH_SESSION_EXTEND_THRESHOLD_MS remaining.

Touch a session without blocking the caller.

Errors are logged to console — session touching never breaks request flows. Pass pending_effects (from c.var.pending_effects) to register the promise for test flushing.