UMBRA/backend/app/models/session.py

from sqlalchemy import String, Boolean, ForeignKey, func
from sqlalchemy.orm import Mapped, mapped_column
from datetime import datetime
from app.database import Base


class UserSession(Base):
    __tablename__ = "user_sessions"

    # UUID4 hex — avoids integer primary key enumeration
    id: Mapped[str] = mapped_column(String(64), primary_key=True)
    user_id: Mapped[int] = mapped_column(
        ForeignKey("users.id", ondelete="CASCADE"),
        nullable=False,
        index=True,
    )
    created_at: Mapped[datetime] = mapped_column(default=func.now())
    expires_at: Mapped[datetime] = mapped_column(nullable=False)
    revoked: Mapped[bool] = mapped_column(Boolean, default=False)

    # Session lock — persists across page refresh
    is_locked: Mapped[bool] = mapped_column(Boolean, default=False, server_default="false")
    locked_at: Mapped[datetime | None] = mapped_column(nullable=True)

    # Audit fields for security logging
    ip_address: Mapped[str | None] = mapped_column(String(45), nullable=True)
    user_agent: Mapped[str | None] = mapped_column(String(255), nullable=True)