Move SQL queries out of API authentication middleware

[oliver3]

Extract a session_repo from the authentication middleware, in six acts:

• Move the whole session module to the repository, because it contains mostly database queries
• Remove use of axum and cookie from the repo, by moving the extractor and the get_cookie() method back to the middleware
• Replace the api AuthenticationError with sqlx::Error in the repo (and split create and save, actually for the next step)
• Rename Session::new() to Session::create() and use that in combination with session_repo::save() instead of the session_repo::create(), to be able to split the responsibility of calculating session lifetime and saving to the database
• Move the Session::create() and its helpers to the middleware, remove lifetime calculation from extend_session()
• Remove use of RequestSessionData (with cookie and ip address) from the repo by replacing it with SessionIdentifier containing strings

This results in a session_repo that contains all the database queries for the session, but without any knowledge of axum, cookies, or lifetime calculations.

[github-actions]

Sigrid maintainability feedback

⚠️ Your code did not improve towards your objective of 3.5 stars.

Show details

Sigrid compared your code against the baseline of 2026-02-05.

👍 What went well?

You fixed or improved 9 refactoring candidates.

Risk	System property	Location
🔴	Duplication (Fixed)	backend/src/api/authentication.rs line 331-343 backend/src/api/user.rs line 120-131
🔴	Duplication (Fixed)	backend/src/api/middleware/authentication/session.rs line 120-127 backend/src/api/middleware/authentication/session.rs line 268-275
🔴	Duplication (Fixed)	backend/src/api/user.rs line 189-201 backend/src/api/user.rs line 249-261
🔴	Duplication (Fixed)	backend/src/api/middleware/authentication/session.rs line 33-41 backend/src/api/middleware/authentication/role.rs line 185-193
🔴	Duplication (Fixed)	backend/src/api/middleware/authentication/session.rs line 121-126 backend/src/api/middleware/authentication/session.rs line 154-159 backend/src/api/middleware/authentication/session.rs line 187-192
🔴	Duplication (Fixed)	backend/src/api/user.rs line 232-240 backend/src/api/user.rs line 171-179 backend/src/api/user.rs line 135-143
🔴	Duplication (Fixed)	backend/src/api/middleware/authentication/session.rs line 150-161 backend/src/api/middleware/authentication/session.rs line 183-194
🟡	Unit Size (Improved)	backend/src/api/middleware/authentication/middleware.rs inject_user(State<SqlitePool>,Request<Body>)
⚫️		+ 1 more

👎 What could be better?

Unfortunately, 20 refactoring candidates were introduced or got worse.

Risk	System property	Location
🔴	Duplication (Introduced)	backend/src/repository/session_repo.rs line 105-119 backend/src/repository/session_repo.rs line 139-152
🔴	Duplication (Introduced)	backend/src/repository/session_repo.rs line 73-80 backend/src/repository/session_repo.rs line 226-233
🔴	Duplication (Introduced)	backend/src/api/user.rs line 192-204 backend/src/api/user.rs line 252-264
🔴	Duplication (Introduced)	backend/src/api/user.rs line 123-134 backend/src/api/authentication.rs line 336-348
🔴	Duplication (Introduced)	backend/src/api/user.rs line 235-243 backend/src/api/user.rs line 174-182 backend/src/api/user.rs line 138-146
🔴	Duplication (Introduced)	backend/src/api/middleware/authentication/role.rs line 185-193 backend/src/api/middleware/authentication/session.rs line 14-22
🔴	Duplication (Introduced)	backend/src/repository/session_repo.rs line 74-79 backend/src/repository/session_repo.rs line 112-117 backend/src/repository/session_repo.rs line 145-150
🔴	Duplication (Introduced)	backend/src/repository/session_repo.rs line 13-18 backend/src/repository/session_repo.rs line 23-28
⚫️		+ 12 more

📚 Remaining technical debt

9 refactoring candidates didn't get better or worse, but are still present in the code you touched.

View this system in Sigrid to explore your technical debt

⭐️ Sigrid ratings

System property	System on 2026-02-05	Before changes	New/changed code
Volume	3.4	N/A	N/A
Duplication	3.7	3.1	3.0
Unit Size	2.2	3.7	2.8
Unit Complexity	3.2	4.4	4.4
Unit Interfacing	3.0	0.9	1.1
Module Coupling	3.4	5.5	2.5
Component Independence	2.0	N/A	N/A
Component Entanglement	2.4	N/A	N/A
Maintainability	2.9	4.0	3.0

💬 Did you find this feedback helpful?

We would like to know your thoughts to make Sigrid better.
Your username will remain confidential throughout the process.

• ✅ Yes, these findings are useful
• 🔸 The findings are false positives
• 🔹 These findings are not important to me

---

View this system in Sigrid

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.38%. Comparing base (b6ba7d8) to head (b3f0bf2).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2857      +/-   ##
==========================================
+ Coverage   91.32%   91.38%   +0.05%     
==========================================
  Files         378      379       +1     
  Lines       17541    17646     +105     
  Branches     1987     1987              
==========================================
+ Hits        16020    16125     +105     
+ Misses       1424     1423       -1     
- Partials       97       98       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Lionqueen94]

The session repo needs to be added to sigrid

[oliver3]

The session repo needs to be added to sigrid

Thanks 😅 added in d343135

[github-actions]

PDF Diff Summary

Comparing against base branch: main

File	Status
model-n-10-2.pdf	✅ No changes
model-na-14-2-bijlage1.pdf	✅ No changes
model-na-14-2.pdf	✅ No changes
model-na-31-2-bijlage1.pdf	✅ No changes
model-na-31-2-inlegvel.pdf	✅ No changes
model-na-31-2.pdf	✅ No changes
model-p-2a.pdf	✅ No changes

[Lionqueen94]

Looks good to me 👍