perf(webapp): make auto-logout enforcement zero-query on the read path

Move the session deadline from a per-request DB resolution to a
User.nextSessionEnd column written at the rare moments it can change.

Previously enforceSessionExpiry ran inside getUserId on every authenticated
request, doing 2 replica queries (one of which joins OrgMember and sorts
on maxSessionDuration). Remix runs matched layout loaders in parallel, so
a single dashboard navigation produced ~12 replica queries before any
page data was fetched, and resources/fetcher routes paid the same cost.

- commitAuthenticatedSession resolves effective duration once and stamps
  User.nextSessionEnd at every login/MFA/user-setting change.
- Admin org-cap route runs a single bulk UPDATE … LEAST(…) to shorten
  member deadlines without ever extending them.
- requireUser/getUser check now > nextSessionEnd against the User row
  they were already fetching — no per-request DB query added.
- requireUserId reverts to cookie-only (zero DB queries on fetcher routes).
- Migration adds the column as nullable; metadata-only ALTER, no row
  rewrite. Null = no enforced deadline, equivalent to the default 1-year
  duration that matches cookie maxAge — existing sessions need no backfill.
- Removed dead cookie-issuedAt machinery (commitAuthenticatedSessionLazy,
  isSessionExpired, ensureSessionIssuedAt, SESSION_ISSUED_AT_KEY).
- Consolidated branch's .server-changes notes into one file.

Author: matt-aitken

.server-changes/app-auto-session-logout.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: feature
+---
+
+App auto session logout. Users can configure their own session duration; org admins can set a `maxSessionDuration` cap that takes the tightest value across an account's orgs. Sessions exceeding their effective duration are redirected to `/logout` with a HIPAA audit trail emitted to CloudWatch (`event: session.auto_logout`). Enforcement reads `User.nextSessionEnd` — written at login and bulk-updated when admins change the cap — so the auth path adds no per-request DB queries.

apps/webapp/app/root.tsx

@@ -15,8 +15,6 @@ import { env } from "./env.server";
 import { featuresForRequest } from "./features.server";
 import { usePostHog } from "./hooks/usePostHog";
 import { getUser } from "./services/session.server";
-import { commitAuthenticatedSessionLazy } from "./services/sessionDuration.server";
-import { getUserSession } from "./services/sessionStorage.server";
 import { getTimezonePreference } from "./services/preferences/uiPreferences.server";
 import { appEnvTitleTag } from "./utils";
 
@@ -65,15 +63,6 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
   const headers = new Headers();
   headers.append("Set-Cookie", await commitSession(session));
 
-  // Lazy-backfill the auth session's `issuedAt` for cookies issued before this
-  // feature shipped. Returns null (and does not commit) once issuedAt is set,
-  // so the cookie isn't re-written on every page load.
-  if (user) {
-    const authSession = await getUserSession(request);
-    const lazyCookie = await commitAuthenticatedSessionLazy(authSession);
-    if (lazyCookie) headers.append("Set-Cookie", lazyCookie);
-  }
-
   return typedjson(
     {
       user,

apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.session-duration.ts

@@ -50,5 +50,21 @@ export async function action({ request, params }: ActionFunctionArgs) {
     select: { id: true, slug: true, maxSessionDuration: true },
   });
 
+  // Propagate the new cap to currently-logged-in members by shortening their
+  // `nextSessionEnd`. We only ever shorten (`LEAST`): raising or removing the
+  // cap leaves existing sessions alone — the larger window applies on next
+  // login. If a member is in another org with a tighter cap that other cap
+  // remains in effect via their existing `nextSessionEnd` (LEAST keeps it).
+  if (body.maxSessionDuration !== null) {
+    await prisma.$executeRaw`
+      UPDATE "User"
+      SET "nextSessionEnd" = LEAST(
+        COALESCE("nextSessionEnd", 'infinity'::timestamp),
+        NOW() + (LEAST("sessionDuration", ${body.maxSessionDuration}) * INTERVAL '1 second')
+      )
+      WHERE "id" IN (SELECT "userId" FROM "OrgMember" WHERE "organizationId" = ${organizationId})
+    `;
+  }
+
   return json({ success: true, organization });
 }

apps/webapp/app/routes/auth.github.callback.tsx

@@ -53,7 +53,7 @@ export let loader: LoaderFunction = async ({ request }) => {
   session.set(authenticator.sessionKey, auth);
 
   const headers = new Headers();
-  headers.append("Set-Cookie", await commitAuthenticatedSession(session));
+  headers.append("Set-Cookie", await commitAuthenticatedSession(session, auth.userId));
   headers.append("Set-Cookie", await setLastAuthMethodHeader("github"));
 
   await trackAndClearReferralSource(request, auth.userId, headers);

apps/webapp/app/routes/auth.google.callback.tsx

@@ -53,7 +53,7 @@ export let loader: LoaderFunction = async ({ request }) => {
   session.set(authenticator.sessionKey, auth);
 
   const headers = new Headers();
-  headers.append("Set-Cookie", await commitAuthenticatedSession(session));
+  headers.append("Set-Cookie", await commitAuthenticatedSession(session, auth.userId));
   headers.append("Set-Cookie", await setLastAuthMethodHeader("google"));
 
   await trackAndClearReferralSource(request, auth.userId, headers);

apps/webapp/app/routes/login.mfa/route.tsx

@@ -163,7 +163,7 @@ async function completeLogin(request: Request, session: Session, userId: string)
   session.unset("pending-mfa-redirect-to");
 
   const headers = new Headers();
-  headers.append("Set-Cookie", await commitAuthenticatedSession(session));
+  headers.append("Set-Cookie", await commitAuthenticatedSession(session, userId));
 
   await trackAndClearReferralSource(request, userId, headers);
 

apps/webapp/app/routes/magic.tsx

@@ -56,7 +56,7 @@ export async function loader({ request }: LoaderFunctionArgs) {
   session.set(authenticator.sessionKey, auth);
 
   const headers = new Headers();
-  headers.append("Set-Cookie", await commitAuthenticatedSession(session));
+  headers.append("Set-Cookie", await commitAuthenticatedSession(session, auth.userId));
   headers.append("Set-Cookie", await setLastAuthMethodHeader("email"));
 
   await trackAndClearReferralSource(request, auth.userId, headers);

apps/webapp/app/routes/resources.account.session-duration/route.tsx

@@ -61,9 +61,10 @@ export async function action({ request }: ActionFunctionArgs) {
   });
 
   // Re-issue the cookie with the new maxAge and reset issuedAt so the user
-  // gets a fresh window matching their new selection right away.
+  // gets a fresh window matching their new selection right away. This also
+  // restamps `User.nextSessionEnd` against the new effective duration.
   const authSession = await getUserSession(request);
-  const authCookie = await commitAuthenticatedSession(authSession);
+  const authCookie = await commitAuthenticatedSession(authSession, userId);
 
   const messageSession = await getMessageSession(request.headers.get("cookie"));
   setSuccessMessage(messageSession, "Session duration updated.");

apps/webapp/app/services/session.server.ts

@@ -1,98 +1,93 @@
 import { redirect } from "@remix-run/node";
-import { $replica } from "~/db.server";
 import { getUserById } from "~/models/user.server";
 import { sanitizeRedirectPath } from "~/utils";
 import { extractClientIp } from "~/utils/extractClientIp.server";
 import { authenticator } from "./auth.server";
 import { getImpersonationId } from "./impersonation.server";
 import { logger } from "./logger.server";
-import {
-  getEffectiveSessionDuration,
-  getSessionIssuedAt,
-  isSessionExpired,
-} from "./sessionDuration.server";
-import { getUserSession } from "./sessionStorage.server";
 
 /**
- * Enforces the user's effective session duration (User.sessionDuration capped
- * by the most restrictive Organization.maxSessionDuration). If the session was
- * issued longer ago than the cap allows, throws a redirect to `/logout` and
- * emits a HIPAA audit log. `userId` is always the *session owner's* id (i.e.
- * the real authenticated user), not an impersonated one — because the cap
- * belongs to the cookie, not the impersonation target.
+ * Logs the user out when their session has lived past `User.nextSessionEnd`.
+ *
+ * The deadline is written at login (and any time the effective duration is
+ * recomputed — see `commitAuthenticatedSession`) and shortened in bulk when
+ * an admin lowers an org cap (see the admin `session-duration` route).
+ * Reading here is a free piggyback on the User row that `requireUser`/
+ * `getUser` already fetches — there is no per-request DB query added by this
+ * check. `requireUserId`/`getUserId` deliberately do NOT enforce: enforcement
+ * happens at the next page navigation (root.tsx loader calls `getUser`),
+ * which matches HIPAA auto-logoff semantics — terminate sessions at the
+ * navigation boundary, not on every polling fetch.
+ *
+ * `nextSessionEnd === null` means "no enforced deadline" — applies to legacy
+ * sessions from before this feature shipped. The default `User.sessionDuration`
+ * is 1 year (matching the cookie's `Max-Age`), so a null deadline is
+ * functionally identical to "natural cookie expiry" for users with default
+ * settings. Every path that produces a sub-default effective duration —
+ * fresh login, user setting change, admin cap change — also writes
+ * `nextSessionEnd`, so there is no realistic state where an unenforced null
+ * masks a tighter cap.
  */
-async function enforceSessionExpiry(
+function maybeAutoLogout(
   request: Request,
-  userId: string,
+  user: { id: string; nextSessionEnd: Date | null },
   impersonatedUserId: string | null = null
-): Promise<void> {
-  const session = await getUserSession(request);
-  // Hot path: every authenticated request runs this. Read from the replica
-  // when one is configured (falls back to primary). Stale-by-replica-lag is
-  // acceptable here because the worst case is a session living a few seconds
-  // past its cap on the very first request after a cap change.
-  const { durationSeconds, orgCapSeconds, cappingOrgId, userSettingSeconds } =
-    await getEffectiveSessionDuration(userId, $replica);
-  if (!isSessionExpired(session, durationSeconds)) return;
+): void {
+  if (user.nextSessionEnd === null) return;
+  if (Date.now() <= user.nextSessionEnd.getTime()) return;
 
-  const issuedAt = getSessionIssuedAt(session);
   // HIPAA audit trail: structured log lands in CloudWatch via stdout. Use
   // the stable `event` field to filter/aggregate auto-logout events.
   // `sourceIp` uses ALB's appended (last) X-Forwarded-For element, not the
   // first one, since the leading element is client-supplied and spoofable.
   logger.info("Auto-logout: session exceeded effective duration", {
     event: "session.auto_logout",
-    userId,
+    userId: user.id,
     impersonatedUserId,
-    cappingOrgId,
-    effectiveDurationSeconds: durationSeconds,
-    userSettingSeconds,
-    orgCapSeconds,
-    sessionAgeMs: issuedAt === null ? null : Date.now() - issuedAt,
+    nextSessionEnd: user.nextSessionEnd.toISOString(),
     requestPath: new URL(request.url).pathname,
     sourceIp: extractClientIp(request.headers.get("x-forwarded-for")),
   });
   throw redirect("/logout");
 }
 
 export async function getUserId(request: Request): Promise<string | undefined> {
+  // Cookie-only fast path: zero DB queries. Impersonation admin-verification
+  // and auto-logout enforcement happen in `getUser`/`requireUser`, where we
+  // already pay for a User row fetch.
   const impersonatedUserId = await getImpersonationId(request);
-
-  if (impersonatedUserId) {
-    // Verify the real user (from the session cookie) is still an admin
-    const authUser = await authenticator.isAuthenticated(request);
-    if (authUser?.userId) {
-      const realUser = await getUserById(authUser.userId);
-      if (realUser?.admin) {
-        // Enforce expiry against the admin's own session — impersonation must
-        // not be a way to bypass the admin's effective duration cap.
-        await enforceSessionExpiry(request, authUser.userId, impersonatedUserId);
-        return impersonatedUserId;
-      }
-    }
-    // Admin revoked or session invalid — fall through to return the real
-    // user's ID. Same enforcement as the regular auth path below.
-    if (authUser?.userId) {
-      await enforceSessionExpiry(request, authUser.userId);
-    }
-    return authUser?.userId;
-  }
+  if (impersonatedUserId) return impersonatedUserId;
 
   const authUser = await authenticator.isAuthenticated(request);
-  if (!authUser?.userId) return undefined;
-
-  await enforceSessionExpiry(request, authUser.userId);
-  return authUser.userId;
+  return authUser?.userId;
 }
 
 export async function getUser(request: Request) {
-  const userId = await getUserId(request);
-  if (userId === undefined) return null;
+  const impersonatedUserId = await getImpersonationId(request);
+  const authUser = await authenticator.isAuthenticated(request);
 
-  const user = await getUserById(userId);
-  if (user) return user;
+  if (impersonatedUserId && authUser?.userId) {
+    // Impersonating: verify the real user is still an admin and enforce the
+    // *admin's* deadline (the cap belongs to the cookie, not the
+    // impersonation target). If the admin is no longer admin, fall back to
+    // operating as the admin themselves — same defense-in-depth as before.
+    const realUser = await getUserById(authUser.userId);
+    if (!realUser) throw await logout(request);
+    if (realUser.admin) {
+      maybeAutoLogout(request, realUser, impersonatedUserId);
+      const target = await getUserById(impersonatedUserId);
+      if (!target) throw await logout(request);
+      return target;
+    }
+    maybeAutoLogout(request, realUser);
+    return realUser;
+  }
 
-  throw await logout(request);
+  if (!authUser?.userId) return null;
+  const user = await getUserById(authUser.userId);
+  if (!user) throw await logout(request);
+  maybeAutoLogout(request, user);
+  return user;
 }
 
 export async function requireUserId(request: Request, redirectTo?: string) {
@@ -112,28 +107,29 @@ export async function requireUserId(request: Request, redirectTo?: string) {
 export type UserFromSession = Awaited<ReturnType<typeof requireUser>>;
 
 export async function requireUser(request: Request) {
-  const userId = await requireUserId(request);
-
-  const impersonationId = await getImpersonationId(request);
-  const user = await getUserById(userId);
-  if (user) {
-    return {
-      id: user.id,
-      email: user.email,
-      name: user.name,
-      displayName: user.displayName,
-      avatarUrl: user.avatarUrl,
-      admin: user.admin,
-      createdAt: user.createdAt,
-      updatedAt: user.updatedAt,
-      dashboardPreferences: user.dashboardPreferences,
-      confirmedBasicDetails: user.confirmedBasicDetails,
-      mfaEnabledAt: user.mfaEnabledAt,
-      isImpersonating: !!impersonationId && impersonationId === userId,
-    };
+  const user = await getUser(request);
+  if (!user) {
+    const url = new URL(request.url);
+    const finalRedirectTo = sanitizeRedirectPath(`${url.pathname}${url.search}`);
+    const searchParams = new URLSearchParams([["redirectTo", finalRedirectTo]]);
+    throw redirect(`/login?${searchParams}`);
   }
 
-  throw await logout(request);
+  const impersonationId = await getImpersonationId(request);
+  return {
+    id: user.id,
+    email: user.email,
+    name: user.name,
+    displayName: user.displayName,
+    avatarUrl: user.avatarUrl,
+    admin: user.admin,
+    createdAt: user.createdAt,
+    updatedAt: user.updatedAt,
+    dashboardPreferences: user.dashboardPreferences,
+    confirmedBasicDetails: user.confirmedBasicDetails,
+    mfaEnabledAt: user.mfaEnabledAt,
+    isImpersonating: !!impersonationId && impersonationId === user.id,
+  };
 }
 
 export async function logout(request: Request) {