feat(auth): keep remember tokens on session timeout

- add timeout-specific logout path without remember-token revocation

- reset session timers after remember-me auto login

- compact session policy wording in admin settings (DE/EN)

- extend auth tests for timeout/manual logout behavior
This commit is contained in:
2026-03-09 20:47:21 +01:00
parent 792af5a532
commit af8ee10930
8 changed files with 106 additions and 11 deletions

View File

@@ -268,6 +268,19 @@ class AuthService
]);
}
public function logoutDueToSessionTimeout(): void
{
$actorUserId = (int) ($this->sessionUser()['id'] ?? 0);
$actorTenantId = $this->currentTenantIdFromSession();
$this->sessionStore->remove('session_started_at');
$this->sessionStore->remove('session_last_activity');
Auth::logout();
$this->recordAuthEvent('auth.session.timeout', 'success', [
'actor_user_id' => $actorUserId > 0 ? $actorUserId : null,
'actor_tenant_id' => $actorTenantId > 0 ? $actorTenantId : null,
]);
}
public function logoutAndRedirect(string $target = 'login'): void
{
$this->logout();