feat: deterministic daily session ID using sha256(machine_id + app_key + date)

Replace the 4-hour sliding inactivity timeout with a deterministic
session ID derived from the machine ID, app key, and UTC date.
Same device + same app + same calendar day always produces the same
session ID, enabling accurate DAU counting server-side.

Author: thewh1teagle

Cargo.toml

@@ -23,6 +23,8 @@ os_info = "3.9.2"
 rand = "0.9.0"
 log = "0.4.25"
 sys-locale = "0.3.2"
+machine-uid = "0.5.4"
+sha2 = "0.10.9"
 
 [build-dependencies]
 tauri-plugin = { version = "2.0.4", features = ["build"] }

permissions/autogenerated/reference.md

@@ -1,4 +1,3 @@
-
 ## Permission Table
 
 <table>

permissions/schemas/schema.json

@@ -49,7 +49,7 @@
           "minimum": 1.0
         },
         "description": {
-          "description": "Human-readable description of what the permission does. Tauri convention is to use <h4> headings in markdown content for Tauri documentation generation purposes.",
+          "description": "Human-readable description of what the permission does. Tauri convention is to use `<h4>` headings in markdown content for Tauri documentation generation purposes.",
           "type": [
             "string",
             "null"
@@ -111,7 +111,7 @@
           "type": "string"
         },
         "description": {
-          "description": "Human-readable description of what the permission does. Tauri internal convention is to use <h4> headings in markdown content for Tauri documentation generation purposes.",
+          "description": "Human-readable description of what the permission does. Tauri internal convention is to use `<h4>` headings in markdown content for Tauri documentation generation purposes.",
           "type": [
             "string",
             "null"
@@ -297,12 +297,14 @@
         {
           "description": "Enables the track_event command without any pre-configured scope.",
           "type": "string",
-          "const": "allow-track-event"
+          "const": "allow-track-event",
+          "markdownDescription": "Enables the track_event command without any pre-configured scope."
         },
         {
           "description": "Denies the track_event command without any pre-configured scope.",
           "type": "string",
-          "const": "deny-track-event"
+          "const": "deny-track-event",
+          "markdownDescription": "Denies the track_event command without any pre-configured scope."
         }
       ]
     }

src/client.rs

@@ -1,10 +1,7 @@
-use rand::Rng;
 use serde_json::{json, Value};
-use std::time::{SystemTime, UNIX_EPOCH};
-use std::{
-    sync::{Arc, Mutex as SyncMutex},
-    time::Duration,
-};
+use sha2::{Digest, Sha256};
+use std::sync::{Arc, Mutex as SyncMutex};
+use std::time::Duration;
 use time::{format_description::well_known::Rfc3339, OffsetDateTime};
 
 use crate::{
@@ -13,41 +10,40 @@ use crate::{
     sys::{self, SystemProperties},
 };
 
-static SESSION_TIMEOUT: Duration = Duration::from_secs(4 * 60 * 60);
-
-fn new_session_id() -> String {
-    let epoch_in_seconds = SystemTime::now()
-        .duration_since(UNIX_EPOCH)
-        .expect("time went backwards")
-        .as_secs();
-
-    let mut rng = rand::rng();
-    let random: u64 = rng.random_range(0..=99999999);
+/// Derives a deterministic session ID from machine ID, app key, and UTC date.
+/// Same device + same app + same calendar day = same session ID.
+fn create_session_id(app_key: &str) -> String {
+    let machine_id = machine_uid::get().unwrap_or_else(|_| "unknown".to_string());
+    let today = OffsetDateTime::now_utc().date().to_string(); // e.g. "2026-02-13"
 
-    let id = epoch_in_seconds * 100_000_000 + random;
+    let mut hasher = Sha256::new();
+    hasher.update(machine_id.as_bytes());
+    hasher.update(app_key.as_bytes());
+    hasher.update(today.as_bytes());
 
-    id.to_string()
+    format!("{:x}", hasher.finalize())
 }
 
 /// A tracking session.
 #[derive(Debug, Clone)]
 pub struct TrackingSession {
     pub id: String,
-    pub last_touch_ts: OffsetDateTime,
+    pub date: String,
 }
 
 impl TrackingSession {
-    fn new() -> Self {
+    fn new(app_key: &str) -> Self {
         Self {
-            id: new_session_id(),
-            last_touch_ts: OffsetDateTime::now_utc(),
+            id: create_session_id(app_key),
+            date: OffsetDateTime::now_utc().date().to_string(),
         }
     }
 }
 
 /// The Aptabase client used to track events.
 pub struct AptabaseClient {
     is_enabled: bool,
+    app_key: String,
     session: SyncMutex<TrackingSession>,
     dispatcher: Arc<EventDispatcher>,
     app_version: String,
@@ -64,8 +60,9 @@ impl AptabaseClient {
 
         Self {
             is_enabled,
+            app_key: config.app_key.clone(),
             dispatcher,
-            session: SyncMutex::new(TrackingSession::new()),
+            session: SyncMutex::new(TrackingSession::new(&config.app_key)),
             app_version,
             sys_info,
         }
@@ -83,15 +80,13 @@ impl AptabaseClient {
         });
     }
 
-    /// Returns the current session ID, creating a new one if necessary.
+    /// Returns the current session ID, rotating to a new one if the UTC date has changed.
     pub(crate) fn eval_session_id(&self) -> String {
         let mut session = self.session.lock().expect("could not lock events");
 
-        let now = OffsetDateTime::now_utc();
-        if (now - session.last_touch_ts) > SESSION_TIMEOUT {
-            *session = TrackingSession::new();
-        } else {
-            session.last_touch_ts = now;
+        let today = OffsetDateTime::now_utc().date().to_string();
+        if session.date != today {
+            *session = TrackingSession::new(&self.app_key);
         }
 
         session.id.clone()