Refactor sessions to frequently rotate

In order to minimise the window of opportunity to steal a session,
automatically rotate it onto a new session on a frequent basis.  This
makes a session cookie older than the automatic rollover time less
likely to grant access and more likely to be detected.

Should a stolen session cookie get rotated while the attacker is using
it, the user will be notificed that their session has been taken the
next time they open the app if the user re-visits the website before the
session is discarded.

server/api/auth/account.delete.ts

@@ -9,20 +9,20 @@ import {
 import { broadcastEvent, cancelAccountStreams } from "~/server/streams";
 
 export default defineEventHandler(async (event) => {
-	const serverSession = await requireServerSession(event);
+	const serverSession = await requireServerSessionWithUser(event);
 	let users = await readUsers();
 
 	// Remove sessions for this user
 	const removedSessionIds = new Set<number>();
 	let sessions = await readSessions();
 	sessions = sessions.filter(session => {
-		if (session.account.id === serverSession.account.id) {
+		if (session.accountId === serverSession.accountId) {
 			removedSessionIds.add(session.id);
 			return false;
 		}
 		return true;
 	});
-	cancelAccountStreams(serverSession.account.id);
+	cancelAccountStreams(serverSession.accountId);
 	await writeSessions(sessions);
 	await deleteCookie(event, "session");
 
@@ -34,7 +34,7 @@ export default defineEventHandler(async (event) => {
 	await writeSubscriptions(subscriptions);
 
 	// Remove the user
-	const account = users.find(user => user.id === serverSession.account.id)!;
+	const account = users.find(user => user.id === serverSession.accountId)!;
 	const now = new Date().toISOString();
 	account.deleted = true;
 	account.updatedAt = now;