feat(auth): add session policy settings + account columns + migration

First commit in the session-expiration-policy series (see docs/plans/2026-05-13-session-expiration-policy.md). No behavior change yet — this lays the schema + settings groundwork only. - Settings: SESSION_IDLE_MINUTES_DEFAULT=4320 (3d), SESSION_ABSOLUTE_MINUTES_DEFAULT=20160 (14d), plus MIN/MAX bounds so account overrides have envelopes (15min..30d idle, 1h..90d absolute). - accounts table: nullable session_idle_minutes and session_absolute_minutes columns (NULL = use system default), plus a CHECK constraint that rejects idle > absolute when both are set. Partial-override validation lives at the app layer because the DB cannot read Settings. Subsequent commits will: distinguish idle vs invalid-token expiry on the wire, embed auth_time/idle_max/abs_max in refresh JWTs, enforce the absolute cap in /auth/refresh, add the owner-only policy + bulk-revoke endpoints, and surface everything in an AccountSecurity settings page with a session-expiry toast. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-13 15:52:21 -04:00
parent e50a2150d5
commit 92fa3bc6ab
4 changed files with 526 additions and 0 deletions
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -69,6 +69,19 @@ class Settings(BaseSettings):
    ACCESS_TOKEN_EXPIRE_MINUTES: int = 5
    REFRESH_TOKEN_EXPIRE_DAYS: int = 7

+    # Session policy — see docs/plans/2026-05-13-session-expiration-policy.md
+    # Refresh tokens enforce two windows: idle (between rotations) and absolute
+    # (from original login). Defaults can be overridden per-account, bounded by
+    # the MIN/MAX values below. Values are minutes everywhere except inside the
+    # refresh JWT, where idle_max/abs_max are stored as seconds for direct
+    # Unix-time math.
+    SESSION_IDLE_MINUTES_DEFAULT: int = 4320      # 3 days
+    SESSION_ABSOLUTE_MINUTES_DEFAULT: int = 20160  # 14 days
+    SESSION_IDLE_MINUTES_MIN: int = 15
+    SESSION_IDLE_MINUTES_MAX: int = 43200          # 30 days
+    SESSION_ABSOLUTE_MINUTES_MIN: int = 60         # 1 hour
+    SESSION_ABSOLUTE_MINUTES_MAX: int = 129600     # 90 days
+
    # Security
    BCRYPT_ROUNDS: int = 12

--- a/backend/app/models/account.py
+++ b/backend/app/models/account.py
@@ -44,6 +44,12 @@ class Account(Base):
        Integer, nullable=True, default=100, server_default="100"
    )

+    # Session policy override (NULL = use Settings.SESSION_*_MINUTES_DEFAULT).
+    # Validated at the app layer because the DB cannot see Settings; a DB
+    # CHECK constraint covers the both-set case only.
+    session_idle_minutes: Mapped[Optional[int]] = mapped_column(Integer, nullable=True)
+    session_absolute_minutes: Mapped[Optional[int]] = mapped_column(Integer, nullable=True)
+
    # Custom branding (Task 9)
    branding_logo_url: Mapped[Optional[str]] = mapped_column(String(500), nullable=True)
    branding_primary_color: Mapped[Optional[str]] = mapped_column(String(7), nullable=True)  # hex like #06b6d4