feat: implement session expiry extension and 401 recovery

src/data/sessions.rs

@@ -7,6 +7,9 @@ use sqlx::PgPool;
 use super::models::UserSession;
 use crate::error::Result;
 
+/// Session lifetime: 7 days (in seconds).
+pub const SESSION_DURATION_SECS: u64 = 7 * 24 * 3600;
+
 /// Generate a cryptographically random 32-byte hex token.
 fn generate_token() -> String {
     let bytes: [u8; 32] = rand::rng().random();
@@ -48,13 +51,21 @@ pub async fn get_session(pool: &PgPool, token: &str) -> Result<Option<UserSessio
     .context("failed to get session")
 }
 
-/// Update the last-active timestamp for a session.
+/// Update the last-active timestamp and extend session expiry (sliding window).
 pub async fn touch_session(pool: &PgPool, token: &str) -> Result<()> {
-    sqlx::query("UPDATE user_sessions SET last_active_at = now() WHERE id = $1")
-        .bind(token)
-        .execute(pool)
-        .await
-        .context("failed to touch session")?;
+    sqlx::query(
+        r#"
+        UPDATE user_sessions
+        SET last_active_at = now(),
+            expires_at = now() + make_interval(secs => $2::double precision)
+        WHERE id = $1
+        "#,
+    )
+    .bind(token)
+    .bind(SESSION_DURATION_SECS as f64)
+    .execute(pool)
+    .await
+    .context("failed to touch session")?;
     Ok(())
 }
 
@@ -80,7 +91,6 @@ pub async fn delete_user_sessions(pool: &PgPool, user_id: i64) -> Result<u64> {
 }
 
 /// Delete all expired sessions. Returns the number of sessions cleaned up.
-#[allow(dead_code)] // Called by SessionCache::cleanup_expired (not yet wired to periodic task)
 pub async fn cleanup_expired(pool: &PgPool) -> Result<u64> {
     let result = sqlx::query("DELETE FROM user_sessions WHERE expires_at <= now()")
         .execute(pool)

src/services/web.rs

@@ -51,6 +51,33 @@ impl WebService {
             }
         }
     }
+
+    /// Periodically cleans up expired sessions from the database and in-memory cache.
+    async fn session_cleanup_loop(state: AppState, mut shutdown_rx: broadcast::Receiver<()>) {
+        use std::time::Duration;
+        // Run every hour
+        let mut interval = tokio::time::interval(Duration::from_secs(3600));
+
+        loop {
+            tokio::select! {
+                _ = interval.tick() => {
+                    match state.session_cache.cleanup_expired().await {
+                        Ok(deleted) => {
+                            if deleted > 0 {
+                                info!(deleted, "cleaned up expired sessions");
+                            }
+                        }
+                        Err(e) => {
+                            warn!(error = %e, "session cleanup failed");
+                        }
+                    }
+                }
+                _ = shutdown_rx.recv() => {
+                    break;
+                }
+            }
+        }
+    }
 }
 
 #[async_trait::async_trait]
@@ -87,6 +114,13 @@ impl Service for WebService {
             Self::db_health_check_loop(health_state, health_shutdown_rx).await;
         });
 
+        // Spawn session cleanup task
+        let cleanup_state = self.app_state.clone();
+        let cleanup_shutdown_rx = shutdown_tx.subscribe();
+        tokio::spawn(async move {
+            Self::session_cleanup_loop(cleanup_state, cleanup_shutdown_rx).await;
+        });
+
         // Use axum's graceful shutdown with the internal shutdown signal
         axum::serve(listener, app)
             .with_graceful_shutdown(async move {

src/web/auth.rs

@@ -235,7 +235,7 @@ pub async fn auth_callback(
     let session = crate::data::sessions::create_session(
         &state.db_pool,
         discord_id,
-        Duration::from_secs(7 * 24 * 3600),
+        Duration::from_secs(crate::data::sessions::SESSION_DURATION_SECS),
     )
     .await
     .map_err(|e| {
@@ -248,7 +248,11 @@ pub async fn auth_callback(
 
     // 6. Build response with session cookie
     let secure = redirect_uri.starts_with("https://");
-    let cookie = session_cookie(&session.id, 604800, secure);
+    let cookie = session_cookie(
+        &session.id,
+        crate::data::sessions::SESSION_DURATION_SECS as i64,
+        secure,
+    );
 
     let redirect_to = if user.is_admin { "/admin" } else { "/" };
 

src/web/schedule_cache.rs

@@ -9,8 +9,8 @@
 use chrono::NaiveDate;
 use serde_json::Value;
 use sqlx::PgPool;
-use std::sync::atomic::{AtomicBool, Ordering};
 use std::sync::Arc;
+use std::sync::atomic::{AtomicBool, Ordering};
 use tokio::sync::watch;
 use tracing::{debug, error, info};
 
@@ -141,11 +141,10 @@ struct ScheduleRow {
 async fn load_snapshot(pool: &PgPool) -> anyhow::Result<ScheduleSnapshot> {
     let start = std::time::Instant::now();
 
-    let rows: Vec<ScheduleRow> = sqlx::query_as(
-        "SELECT subject, enrollment, meeting_times FROM courses",
-    )
-    .fetch_all(pool)
-    .await?;
+    let rows: Vec<ScheduleRow> =
+        sqlx::query_as("SELECT subject, enrollment, meeting_times FROM courses")
+            .fetch_all(pool)
+            .await?;
 
     let courses: Vec<CachedCourse> = rows
         .into_iter()

src/web/session_cache.rs

@@ -108,7 +108,6 @@ impl SessionCache {
     /// Delete expired sessions from the database and sweep the in-memory cache.
     ///
     /// Returns the number of sessions deleted from the database.
-    #[allow(dead_code)] // Intended for periodic cleanup task (not yet wired)
     pub async fn cleanup_expired(&self) -> anyhow::Result<u64> {
         let deleted = crate::data::sessions::cleanup_expired(&self.db_pool).await?;
 

src/web/timeline.rs

@@ -233,9 +233,8 @@ pub(crate) async fn timeline(
                     s.active_during(local_date, wday_bit, slot_start_minutes, slot_end_minutes)
                 });
                 if active {
-                    *subject_totals
-                        .entry(course.subject.clone())
-                        .or_default() += course.enrollment as i64;
+                    *subject_totals.entry(course.subject.clone()).or_default() +=
+                        course.enrollment as i64;
                 }
             }