feat(auth): Session model + remember-me

Replace the single `user.refreshToken` column with a proper Session table so users can have multiple concurrent sessions (phone, laptop, etc.), each with their own refresh token, expiry, label, and remember-me flag. - Add Session model (id, userId, tokenHash, label, userAgent, ipAddress, rememberMe, lastUsedAt, expiresAt). - Drop `User.refreshToken` and `User.refreshTokenExpiresAt`. - authService: new createSession/validateSession/rotateSession/ revokeSession/listUserSessions helpers; remove refresh-token-on-user functions. - sessionCookies helper now issues a session_id cookie alongside access_token and refresh_token; rotateSessionCookies keeps the same session id on refresh. - Login form adds a "Keep me signed in for 30 days" checkbox; TTL is 7d by default, 30d with remember-me. - User-Agent parsed into a friendly label ("Chrome on Windows") for the upcoming sessions page. - hooks.server.ts, refresh endpoint, logout, register, oauth callback, and onboarding all switched to the new session API.
2026-04-16 03:41:52 +03:00
parent 3fa30f72a3
commit b9f3a2ca0b
17 changed files with 489 additions and 187 deletions
@@ -105,6 +105,16 @@
 					{/if}
 				</div>

+				<label class="flex items-center gap-2 text-sm text-muted-foreground">
+					<input
+						type="checkbox"
+						name="rememberMe"
+						bind:checked={$form.rememberMe}
+						class="h-4 w-4 rounded border-input text-primary focus:ring-2 focus:ring-ring/30"
+					/>
+					<span>Keep me signed in for 30 days</span>
+				</label>
+
 				<button
 					type="submit"
 					disabled={$submitting}