Refactor sessions to frequently rotate

In order to minimise the window of opportunity to steal a session,
automatically rotate it onto a new session on a frequent basis.  This
makes a session cookie older than the automatic rollover time less
likely to grant access and more likely to be detected.

Should a stolen session cookie get rotated while the attacker is using
it, the user will be notificed that their session has been taken the
next time they open the app if the user re-visits the website before the
session is discarded.

server/database.ts

@@ -7,15 +7,14 @@ import type { ApiSchedule, ApiSubscription, ApiUserType } from "~/shared/types/a
 import type { Id } from "~/shared/types/common";
 
 export interface ServerSession {
-	id: number,
-	account: ServerUser,
+	id: Id,
+	access: ApiUserType,
+	accountId?: number,
+	expiresAtMs: number,
+	discardAtMs: number,
+	successor?: Id,
 };
 
-interface StoredSession {
-	id: number,
-	accountId: number,
-}
-
 export interface ServerUser {
 	id: Id,
 	updatedAt: string,
@@ -131,26 +130,9 @@ export async function nextSessionId() {
 }
 
 export async function readSessions() {
-	const users = await readUsers();
-	const sessions: ServerSession[] = [];
-	for (const stored of await readJson<StoredSession[]>(sessionsPath, [])) {
-		const user = users.find(user => user.id === stored.accountId);
-		if (user) {
-			sessions.push({
-				id: stored.id,
-				account: user,
-			});
-		}
-	}
-	return sessions;
+	return readJson<ServerSession[]>(sessionsPath, [])
 }
 
 export async function writeSessions(sessions: ServerSession[]) {
-	const stored: StoredSession[] = sessions.map(
-		session => ({
-			id: session.id,
-			accountId: session.account.id,
-		}),
-	);
-	await writeFile(sessionsPath, JSON.stringify(stored, undefined, "\t") + "\n", "utf-8");
+	await writeFile(sessionsPath, JSON.stringify(sessions, undefined, "\t") + "\n", "utf-8");
 }