By: Michael Lynch <git@mtlynch.io>
Refactor simpleauth for caller-owned sessions This is a breaking v3 API cleanup that removes simpleauth's built-in SQLite/jeff session storage and leaves persistence behind caller-provided interfaces. The previous API forced every application through a SQLite-backed session manager and stored opaque session bytes, which made the package harder to use with applications that already own their user tables, databases, caches, or deployment-specific session lifecycle. The sessions package now exposes the primitives the library actually needs: a validated server-side session ID, a stable user ID, a Session record with creation and expiration timestamps, and a Store interface for create, read, and delete operations. Manager now owns the browser-facing lifecycle by generating 32-byte random session IDs, setting and clearing HttpOnly SameSite=Lax cookies, loading optional users for public routes, requiring users for protected routes, logging users in and out, and deleting expired sessions when they are observed. Session expiry now belongs to Manager configuration instead of to callers, so a single clock and lifetime policy determines both persisted session metadata and the cookie expiration. Manager construction fails fast when required dependencies are missing: a store, a clock, and a positive lifetime. The dependency graph shrinks accordingly: jeff, SQLite, msgp, and the sqlite_json test tag are removed; the module path advances to codeberg.org/mtlynch/simpleauth/v3; x/crypto is updated; and the Nix vendor hash and tests move to the slimmer API. Tests cover creating and loading sessions, redirecting unauthenticated protected requests, and ignoring and deleting expired sessions.
| Time to Start | Worker time | Duration | Time to finish | |
| Config | -74s | 10s | 10s | -64s |
| Eval | -64s | 13s | 13s | -51s |
| Build | -57s | 1m28s | 34s | -22s |
| Test | - | - | - | - |
| Deploy | - | - | - | - |
| Suite | -74s | 1m51s | 52s | -22s |