modrinth · isXander · Feb 8, 2026 · Feb 9, 2026 · Feb 15, 2026 · Feb 20, 2026
diff --git a/...abrinth/.sqlx/query-1adbd24d815107e13bc1440c7a8f4eeff66ab4165a9f4980032e114db4dc1286.json b/...abrinth/.sqlx/query-1adbd24d815107e13bc1440c7a8f4eeff66ab4165a9f4980032e114db4dc1286.json
diff --git a/...50dd3741131965f050840fa75423b5a54f01.json → ...398ba57e653c1a2d896201ccc39b2912cae2.json b/...50dd3741131965f050840fa75423b5a54f01.json → ...398ba57e653c1a2d896201ccc39b2912cae2.json
diff --git a/...abrinth/.sqlx/query-b92b5bb7d179c4fcdbc45600ccfd2402f52fea71e27b08e7926fcc2a9e62c0f3.json b/...abrinth/.sqlx/query-b92b5bb7d179c4fcdbc45600ccfd2402f52fea71e27b08e7926fcc2a9e62c0f3.json
diff --git a/...abrinth/.sqlx/query-cd5ccd618fb3cc41646a6de86f9afedb074492b4ec7f2457c14113f5fd13aa02.json b/...abrinth/.sqlx/query-cd5ccd618fb3cc41646a6de86f9afedb074492b4ec7f2457c14113f5fd13aa02.json
diff --git a/...abrinth/.sqlx/query-cec4240c7c848988b3dfd13e3f8e5c93783c7641b019fdb698a1ec0be1393606.json b/...abrinth/.sqlx/query-cec4240c7c848988b3dfd13e3f8e5c93783c7641b019fdb698a1ec0be1393606.json
diff --git a/apps/labrinth/migrations/20260220124226_remove_session_expiry_defaults.sql b/apps/labrinth/migrations/20260220124226_remove_session_expiry_defaults.sql
@@ -0,0 +1,2 @@
+ALTER TABLE sessions ALTER COLUMN expires DROP DEFAULT;
+ALTER TABLE sessions ALTER COLUMN refresh_expires DROP DEFAULT;
diff --git a/apps/labrinth/src/auth/validate.rs b/apps/labrinth/src/auth/validate.rs
@@ -32,6 +32,7 @@ where
         executor,
         redis,
         session_queue,
+        false,
     )
     .await?
     else {
@@ -61,6 +62,7 @@ where
         executor,
         redis,
         session_queue,
+        false,
     )
     .await?
     .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
@@ -95,12 +97,38 @@ where
     Ok((scopes, User::from_full(db_user)))
 }
 
+pub async fn get_user_from_bearer_token<'a, E>(
+    req: &HttpRequest,
+    token: Option<&str>,
+    executor: E,
+    redis: &RedisPool,
+    session_queue: &AuthQueue,
+    allow_expired: bool,
+) -> Result<(Scopes, User), AuthenticationError>
+where
+    E: crate::database::Executor<'a, Database = sqlx::Postgres> + Copy,
+{
+    let (scopes, db_user) = get_user_record_from_bearer_token(
+        req,
+        token,
+        executor,
+        redis,
+        session_queue,
+        allow_expired,
+    )
+    .await?
+    .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
+
+    Ok((scopes, User::from_full(db_user)))
+}
+
 pub async fn get_user_record_from_bearer_token<'a, 'b, E>(
     req: &HttpRequest,
     token: Option<&str>,
     executor: E,
     redis: &RedisPool,
     session_queue: &AuthQueue,
+    allow_expired: bool,
 ) -> Result<Option<(Scopes, user_item::DBUser)>, AuthenticationError>
 where
     E: crate::database::Executor<'a, Database = sqlx::Postgres> + Copy,
@@ -120,7 +148,7 @@ where
                 .await?
                 .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
 
-            if pat.expires < Utc::now() {
+            if !allow_expired && pat.expires < Utc::now() {
                 return Err(AuthenticationError::InvalidCredentials);
             }
 
@@ -139,7 +167,7 @@ where
                 .await?
                 .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
 
-            if session.expires < Utc::now() {
+            if !allow_expired && session.expires < Utc::now() {
                 return Err(AuthenticationError::InvalidCredentials);
             }
 
@@ -169,7 +197,7 @@ where
                     .await?
                     .ok_or(AuthenticationError::InvalidCredentials)?;
 
-            if access_token.expires < Utc::now() {
+            if !allow_expired && access_token.expires < Utc::now() {
                 return Err(AuthenticationError::InvalidCredentials);
             }
 

diff --git a/apps/labrinth/src/database/models/session_item.rs b/apps/labrinth/src/database/models/session_item.rs
@@ -25,6 +25,11 @@ pub struct SessionBuilder {
 
     pub ip: String,
     pub user_agent: String,
+
+    // When None, database default of 14 days will be used
+    pub expires: Option<DateTime<Utc>>,
+    // When None, database default of 60 days will be used
+    pub session_expires: Option<DateTime<Utc>>,
 }
 
 impl SessionBuilder {
@@ -38,11 +43,13 @@ impl SessionBuilder {
             "
             INSERT INTO sessions (
                 id, session, user_id, os, platform,
-                city, country, ip, user_agent
+                city, country, ip, user_agent,
+                expires, refresh_expires
             )
             VALUES (
                 $1, $2, $3, $4, $5,
-                $6, $7, $8, $9
+                $6, $7, $8, $9,
+                $10, $11
             )
             ",
             id as DBSessionId,
@@ -54,6 +61,10 @@ impl SessionBuilder {
             self.country,
             self.ip,
             self.user_agent,
+            self.expires
+                .unwrap_or_else(|| Utc::now() + chrono::Duration::days(14)),
+            self.session_expires
+                .unwrap_or_else(|| Utc::now() + chrono::Duration::days(60)),
         )
         .execute(&mut *transaction)
         .await?;

diff --git a/apps/labrinth/src/routes/internal/admin.rs b/apps/labrinth/src/routes/internal/admin.rs
@@ -57,6 +57,7 @@ pub async fn count_download(
         &**pool,
         &redis,
         &session_queue,
+        false,
     )
     .await
     .ok()

diff --git a/apps/labrinth/src/routes/internal/flows.rs b/apps/labrinth/src/routes/internal/flows.rs
@@ -1079,6 +1079,7 @@ pub async fn init(
             &**client,
             &redis,
             &session_queue,
+            false,
         )
         .await
         .ok()
@@ -1114,6 +1115,7 @@ pub async fn init(
             &**client,
             &redis,
             &session_queue,
+            false,
         )
         .await?
         .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
@@ -1308,7 +1310,8 @@ pub async fn auth_callback(
             };
 
             let session =
-                issue_session(req, user_id, &mut transaction, &redis).await?;
+                issue_session(req, user_id, &mut transaction, &redis, None)
+                    .await?;
             transaction.commit().await?;
 
             let redirect_url = format!(
@@ -1533,7 +1536,8 @@ pub async fn create_account_with_password(
     .insert(&mut transaction)
     .await?;
 
-    let session = issue_session(req, user_id, &mut transaction, &redis).await?;
+    let session =
+        issue_session(req, user_id, &mut transaction, &redis, None).await?;
     let res = crate::models::sessions::Session::from(session, true, None);
 
     let mailbox: Mailbox = new_account.email.parse().map_err(|_| {
@@ -1627,7 +1631,7 @@ pub async fn login_password(
     } else {
         let mut transaction = pool.begin().await?;
         let session =
-            issue_session(req, user.id, &mut transaction, &redis).await?;
+            issue_session(req, user.id, &mut transaction, &redis, None).await?;
         let res = crate::models::sessions::Session::from(session, true, None);
         transaction.commit().await?;
 
@@ -1757,7 +1761,7 @@ pub async fn login_2fa(
         DBFlow::remove(&login.flow, &redis).await?;
 
         let session =
-            issue_session(req, user_id, &mut transaction, &redis).await?;
+            issue_session(req, user_id, &mut transaction, &redis, None).await?;
         let res = crate::models::sessions::Session::from(session, true, None);
         transaction.commit().await?;
 
@@ -1945,6 +1949,7 @@ pub async fn remove_2fa(
         &**pool,
         &redis,
         &session_queue,
+        false,
     )
     .await?
     .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
@@ -2150,6 +2155,7 @@ pub async fn change_password(
             &**pool,
             &redis,
             &session_queue,
+            false,
         )
         .await?
         .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		ALTER TABLE sessions ALTER COLUMN expires DROP DEFAULT;
		ALTER TABLE sessions ALTER COLUMN refresh_expires DROP DEFAULT;
-Original file line number
+Diff line change
@@ Expand Up / @@ -57,6 +57,7 @@ pub async fn count_download( @@
             &**pool,
             &redis,
             &session_queue,
+            false,
         )
         .await
         .ok()
@@ Expand Down @@