Implement plug bumping user session last used and timeout timestamps

lib/plausible_web/plugs/user_session_touch.ex

@@ -0,0 +1,25 @@
+defmodule PlausibleWeb.Plugs.UserSessionTouch do
+  @moduledoc """
+  Plug for bumping timeout on user session on every dashboard request.
+  """
+
+  import Plug.Conn
+
+  alias PlausibleWeb.UserAuth
+
+  def init(opts \\ []) do
+    opts
+  end
+
+  def call(conn, _opts) do
+    if user_session = conn.assigns[:current_user_session] do
+      assign(
+        conn,
+        :current_user_session,
+        UserAuth.touch_user_session(user_session)
+      )
+    else
+      conn
+    end
+  end
+end

lib/plausible_web/router.ex

@@ -13,6 +13,7 @@ defmodule PlausibleWeb.Router do
     on_ee(do: nil, else: plug(PlausibleWeb.FirstLaunchPlug, redirect_to: "/register"))
     plug PlausibleWeb.SessionTimeoutPlug, timeout_after_seconds: @two_weeks_in_seconds
     plug PlausibleWeb.AuthPlug
+    plug PlausibleWeb.Plugs.UserSessionTouch
     plug PlausibleWeb.LastSeenPlug
   end
 

lib/plausible_web/user_auth.ex

@@ -76,6 +76,26 @@ defmodule PlausibleWeb.UserAuth do
     end
   end
 
+  @spec touch_user_session(Auth.UserSession.t()) :: Auth.UserSession.t()
+  def touch_user_session(%{token: nil} = user_session) do
+    # NOTE: Legacy token sessions can't be touched.
+    user_session
+  end
+
+  def touch_user_session(user_session) do
+    %{token: token, timeout_at: timeout_at, last_used_at: last_used_at} =
+      user_session
+      |> Auth.UserSession.touch_session()
+      |> Ecto.Changeset.apply_changes()
+
+    Repo.update_all(
+      from(us in Auth.UserSession, where: us.token == ^token),
+      set: [timeout_at: timeout_at, last_used_at: last_used_at]
+    )
+
+    Repo.reload!(user_session)
+  end
+
   @doc """
   Sets the `logged_in` cookie share with the static site for determining
   whether client is authenticated.