feat: add sliding session timeout with idle and absolute caps

gatehouse_app/services/auth_service.py

@@ -140,18 +140,26 @@ class AuthService:
         return user
 
     @staticmethod
-    def create_session(user, duration_seconds=86400, is_compliance_only=False):
+    def create_session(user, duration_seconds=None, is_compliance_only=False):
         """
         Create a new session for the user.
 
         Args:
             user: User instance
-            duration_seconds: Session duration in seconds
+            duration_seconds: Session idle timeout in seconds.
+                When None, defaults to SESSION_IDLE_TIMEOUT from config.
+                The absolute lifetime is always enforced by Session.is_active()
+                regardless of this value.
             is_compliance_only: Whether this is a compliance-only session (limited access)
 
         Returns:
             Session instance
         """
+        from flask import current_app
+
+        if duration_seconds is None:
+            duration_seconds = current_app.config.get("SESSION_IDLE_TIMEOUT", 900)
+
         # Generate session token
         token = secrets.token_urlsafe(32)
 

gatehouse_app/services/external_auth/linking.py

@@ -263,7 +263,7 @@ def authenticate_with_provider(
     state_record.mark_used()
 
     from gatehouse_app.services.auth_service import AuthService
-    session = AuthService.create_session(user=user, organization_id=organization_id)
+    session = AuthService.create_session(user=user)
 
     AuditService.log_external_auth_login(
         user_id=user.id,

gatehouse_app/services/session_service.py

@@ -10,10 +10,10 @@ class SessionService:
     @staticmethod
     def get_active_session_by_token(token):
         """Get active session by token.
-        
+
         Args:
             token: The session token string
-            
+
         Returns:
             Session object if found and active, None otherwise
         """
@@ -23,6 +23,8 @@ class SessionService:
             token=token,
             status=SessionStatus.ACTIVE,
             deleted_at=None
+        ).filter(
+            Session.expires_at > datetime.now(timezone.utc)
         ).first()
 
     @staticmethod

gatehouse_app/services/superadmin_auth_service.py

@@ -138,7 +138,7 @@ class SuperadminAuthService:
             Dictionary with emergency session info
         """
         from gatehouse_app.models.user.user import User
-        from gatehouse_app.services.session_service import SessionService
+        from gatehouse_app.services.auth_service import AuthService
         from gatehouse_app.services.audit_service import AuditService
         
         # Verify target user exists
@@ -147,7 +147,7 @@ class SuperadminAuthService:
             raise ValueError(f"Target user not found: {target_user_id}")
         
         # Create emergency session for the target user
-        emergency_session = SessionService.create_session(
+        emergency_session = AuthService.create_session(
             user=target_user,
             duration_seconds=duration_minutes * 60,
             is_compliance_only=False