Cloudwatch picks up session logout events

Author: samejr

apps/webapp/app/services/session.server.ts

@@ -3,7 +3,12 @@ import { getUserById } from "~/models/user.server";
 import { sanitizeRedirectPath } from "~/utils";
 import { authenticator } from "./auth.server";
 import { getImpersonationId } from "./impersonation.server";
-import { getEffectiveSessionDuration, isSessionExpired } from "./sessionDuration.server";
+import { logger } from "./logger.server";
+import {
+  getEffectiveSessionDuration,
+  getSessionIssuedAt,
+  isSessionExpired,
+} from "./sessionDuration.server";
 import { getUserSession } from "./sessionStorage.server";
 
 export async function getUserId(request: Request): Promise<string | undefined> {
@@ -29,8 +34,22 @@ export async function getUserId(request: Request): Promise<string | undefined> {
   // by the most restrictive Organization.maxSessionDuration). If the session
   // was issued longer ago than the cap allows, force a logout.
   const session = await getUserSession(request);
-  const { durationSeconds } = await getEffectiveSessionDuration(authUser.userId);
+  const { durationSeconds, orgCapSeconds, userSettingSeconds } = await getEffectiveSessionDuration(
+    authUser.userId
+  );
   if (isSessionExpired(session, durationSeconds)) {
+    const issuedAt = getSessionIssuedAt(session);
+    // HIPAA audit trail: structured log lands in CloudWatch via stdout. Use
+    // the stable `event` field to filter/aggregate auto-logout events.
+    logger.info("Auto-logout: session exceeded effective duration", {
+      event: "session.auto_logout",
+      userId: authUser.userId,
+      effectiveDurationSeconds: durationSeconds,
+      userSettingSeconds,
+      orgCapSeconds,
+      sessionAgeMs: issuedAt === null ? null : Date.now() - issuedAt,
+      requestPath: new URL(request.url).pathname,
+    });
     throw redirect("/logout");
   }
 

apps/webapp/app/services/sessionDuration.server.ts

@@ -119,7 +119,7 @@ export function getAllowedSessionOptions(
   return allowed;
 }
 
-function readSessionIssuedAt(session: Session): number | null {
+export function getSessionIssuedAt(session: Session): number | null {
   const raw = session.get(SESSION_ISSUED_AT_KEY);
   if (typeof raw !== "number" || !Number.isFinite(raw)) return null;
   return raw;
@@ -135,7 +135,7 @@ export function isSessionExpired(
   effectiveDurationSeconds: number,
   now: number = Date.now()
 ): boolean {
-  const issuedAt = readSessionIssuedAt(session);
+  const issuedAt = getSessionIssuedAt(session);
   if (issuedAt === null) return false;
   return now - issuedAt > effectiveDurationSeconds * 1000;
 }
@@ -150,7 +150,7 @@ export function setSessionIssuedAt(session: Session, now: number = Date.now()):
  * caller knows to commit the cookie. Returns false when nothing changed.
  */
 export function ensureSessionIssuedAt(session: Session, now: number = Date.now()): boolean {
-  if (readSessionIssuedAt(session) !== null) return false;
+  if (getSessionIssuedAt(session) !== null) return false;
   setSessionIssuedAt(session, now);
   return true;
 }