Auth Session
Data Entity
Description
Represents an active authentication session for a user. Stores session metadata, token references, authentication method, device context, and expiry information. Owned by the Authentication Module; consumed by Mobile App and Admin Web Portal.
Data Structure
| Name | Type | Description | Constraints |
|---|---|---|---|
id |
uuid |
Primary key | PKrequiredunique |
user_id |
uuid |
Foreign key to users table | required |
auth_method |
enum |
Authentication method used to create this session | required |
access_token_hash |
string |
SHA-256 hash of the issued JWT access token. Never stores the raw token. | requiredunique |
refresh_token_id |
uuid |
Foreign key to refresh_tokens table (one-to-one). Null if session uses short-lived token only. | unique |
device_identifier |
string |
Opaque device fingerprint (hashed). Used for session management UI and anomaly detection. | - |
device_name |
string |
Human-readable device label shown in Session Management page (e.g. 'iPhone 15 Pro') | - |
platform |
enum |
Client platform that created this session | required |
ip_address |
string |
IP address at session creation. Stored for audit purposes. | - |
user_agent |
string |
HTTP User-Agent string at session creation | - |
is_active |
boolean |
Whether the session is currently valid. Set to false on sign-out or forced revocation. | required |
created_at |
datetime |
Timestamp when session was created | required |
expires_at |
datetime |
Hard expiry of the session. After this point the session cannot be renewed regardless of refresh token state. | required |
last_active_at |
datetime |
Timestamp of the last authenticated request. Used by Session Management UI for inactivity display. | required |
revoked_at |
datetime |
Timestamp when session was explicitly revoked (admin or user). Null if still active. | - |
revoked_by |
uuid |
user_id of the actor who revoked this session. Null if not revoked or self-revoked. | - |
organization_id |
uuid |
The organization context active when this session was created. Null for global admins who have no org context. | - |
Database Indexes
idx_auth_sessions_user_id
Columns: user_id
idx_auth_sessions_user_active
Columns: user_id, is_active
idx_auth_sessions_access_token_hash
Columns: access_token_hash
idx_auth_sessions_expires_at
Columns: expires_at
idx_auth_sessions_refresh_token_id
Columns: refresh_token_id
Validation Rules
expires_at_in_future
error
Validation failed
access_token_hash_not_empty
error
Validation failed
auth_method_enum_valid
error
Validation failed
platform_enum_valid
error
Validation failed
last_active_at_not_before_created_at
error
Validation failed
revoked_at_requires_is_active_false
error
Validation failed
Business Rules
single_active_session_per_device
A user may not have more than one active session per device_identifier. Creating a new session on an already-registered device implicitly revokes the previous session on that device.
global_admin_no_org_context
Sessions created by Global Admins must have organization_id = null. Sessions for Peer Mentors, Coordinators, and Org Admins must have a non-null organization_id.
admin_forced_revocation_logged
When session-admin-service revokes a session on behalf of an admin, revoked_by must be set to the acting admin's user_id and an audit log entry must be written.
biometric_requires_prior_full_auth
A session with auth_method = 'biometric' may only be created if the user has a prior active session on the same device created via a full auth method (email_password, bankid, vipps, passkey).
expired_sessions_not_refreshable
Any request to refresh tokens on a session where expires_at < now() must be rejected with 401. The session is not implicitly revoked — it simply cannot produce new tokens.
revoked_session_immediately_invalid
Once is_active = false, all subsequent token validations against this session must fail regardless of token expiry. No grace period.
support_access_time_bound
Sessions created for Global Admin support access (organization_id set via support_access_grants) must inherit the grant expiry as their expires_at. Revoking the grant must also revoke these sessions.