ethpandaops · skylenet · Feb 24, 2026 · Feb 24, 2026
diff --git a/pkg/api/admin.go b/pkg/api/admin.go
@@ -208,12 +208,13 @@ func (s *server) handleDeleteUser(
 // --- Session management ---
 
 type sessionResponse struct {
-	ID        uint   `json:"id"`
-	UserID    uint   `json:"user_id"`
-	Username  string `json:"username"`
-	Source    string `json:"source"`
-	ExpiresAt string `json:"expires_at"`
-	CreatedAt string `json:"created_at"`
+	ID           uint   `json:"id"`
+	UserID       uint   `json:"user_id"`
+	Username     string `json:"username"`
+	Source       string `json:"source"`
+	ExpiresAt    string `json:"expires_at"`
+	CreatedAt    string `json:"created_at"`
+	LastActiveAt string `json:"last_active_at"`
 }
 
 // handleListSessions returns all sessions with resolved usernames.
@@ -254,13 +255,20 @@ func (s *server) handleListSessions(
 	resp := make([]sessionResponse, 0, len(sessions))
 	for i := range sessions {
 		info := userMap[sessions[i].UserID]
+
+		var lastActive string
+		if sessions[i].LastActiveAt != nil {
+			lastActive = sessions[i].LastActiveAt.UTC().Format("2006-01-02T15:04:05Z")
+		}
+
 		resp = append(resp, sessionResponse{
-			ID:        sessions[i].ID,
-			UserID:    sessions[i].UserID,
-			Username:  info.Username,
-			Source:    info.Source,
-			ExpiresAt: sessions[i].ExpiresAt.Format("2006-01-02T15:04:05Z"),
-			CreatedAt: sessions[i].CreatedAt.Format("2006-01-02T15:04:05Z"),
+			ID:           sessions[i].ID,
+			UserID:       sessions[i].UserID,
+			Username:     info.Username,
+			Source:       info.Source,
+			ExpiresAt:    sessions[i].ExpiresAt.UTC().Format("2006-01-02T15:04:05Z"),
+			CreatedAt:    sessions[i].CreatedAt.UTC().Format("2006-01-02T15:04:05Z"),
+			LastActiveAt: lastActive,
 		})
 	}
 

diff --git a/pkg/api/github.go b/pkg/api/github.go
@@ -195,7 +195,7 @@ func (s *server) handleGitHubCallback(
 	session := &store.Session{
 		Token:     token,
 		UserID:    user.ID,
-		ExpiresAt: time.Now().Add(ttl),
+		ExpiresAt: time.Now().UTC().Add(ttl),
 	}
 
 	if err := s.store.CreateSession(r.Context(), session); err != nil {

diff --git a/pkg/api/handlers.go b/pkg/api/handlers.go
@@ -166,7 +166,7 @@ func (s *server) handleLogin(w http.ResponseWriter, r *http.Request) {
 	session := &store.Session{
 		Token:     token,
 		UserID:    user.ID,
-		ExpiresAt: time.Now().Add(ttl),
+		ExpiresAt: time.Now().UTC().Add(ttl),
 	}
 
 	if err := s.store.CreateSession(r.Context(), session); err != nil {

diff --git a/pkg/api/middleware.go b/pkg/api/middleware.go
@@ -46,7 +46,7 @@ func (s *server) requireAuth(next http.Handler) http.Handler {
 			return
 		}
 
-		if time.Now().After(session.ExpiresAt) {
+		if time.Now().UTC().After(session.ExpiresAt) {
 			_ = s.store.DeleteSession(r.Context(), cookie.Value)
 			writeJSON(w, http.StatusUnauthorized,
 				errorResponse{"session expired"})
@@ -62,6 +62,18 @@ func (s *server) requireAuth(next http.Handler) http.Handler {
 			return
 		}
 
+		if session.LastActiveAt == nil ||
+			time.Since(*session.LastActiveAt) > 5*time.Minute {
+			go func() {
+				if err := s.store.UpdateSessionLastActive(
+					context.Background(), session.ID, time.Now().UTC(),
+				); err != nil {
+					s.log.WithError(err).
+						Warn("Failed to update session last active")
+				}
+			}()
+		}
+
 		ctx := context.WithValue(r.Context(), userContextKey, user)
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})

diff --git a/pkg/api/store/models.go b/pkg/api/store/models.go
@@ -22,11 +22,12 @@ type User struct {
 
 // Session represents an active user session.
 type Session struct {
-	ID        uint      `gorm:"primaryKey" json:"id"`
-	Token     string    `gorm:"uniqueIndex;not null" json:"-"`
-	UserID    uint      `gorm:"not null" json:"user_id"`
-	ExpiresAt time.Time `gorm:"not null" json:"expires_at"`
-	CreatedAt time.Time `json:"created_at"`
+	ID           uint       `gorm:"primaryKey" json:"id"`
+	Token        string     `gorm:"uniqueIndex;not null" json:"-"`
+	UserID       uint       `gorm:"not null" json:"user_id"`
+	ExpiresAt    time.Time  `gorm:"not null" json:"expires_at"`
+	CreatedAt    time.Time  `json:"created_at"`
+	LastActiveAt *time.Time `json:"last_active_at"`
 }
 
 // GitHubOrgMapping maps a GitHub organization to a role.

diff --git a/pkg/api/store/store.go b/pkg/api/store/store.go
@@ -31,6 +31,7 @@ type Store interface {
 	CreateSession(ctx context.Context, session *Session) error
 	GetSessionByToken(ctx context.Context, token string) (*Session, error)
 	ListSessions(ctx context.Context) ([]Session, error)
+	UpdateSessionLastActive(ctx context.Context, id uint, t time.Time) error
 	DeleteSession(ctx context.Context, token string) error
 	DeleteSessionByID(ctx context.Context, id uint) error
 	DeleteExpiredSessions(ctx context.Context) error
@@ -234,6 +235,19 @@ func (s *store) ListSessions(ctx context.Context) ([]Session, error) {
 	return sessions, nil
 }
 
+func (s *store) UpdateSessionLastActive(
+	ctx context.Context, id uint, t time.Time,
+) error {
+	if err := s.db.WithContext(ctx).
+		Model(&Session{}).
+		Where("id = ?", id).
+		Update("last_active_at", t).Error; err != nil {
+		return fmt.Errorf("updating session last active: %w", err)
+	}
+
+	return nil
+}
+
 func (s *store) DeleteSession(ctx context.Context, token string) error {
 	if err := s.db.WithContext(ctx).
 		Where("token = ?", token).
@@ -255,7 +269,7 @@ func (s *store) DeleteSessionByID(ctx context.Context, id uint) error {
 
 func (s *store) DeleteExpiredSessions(ctx context.Context) error {
 	result := s.db.WithContext(ctx).
-		Where("expires_at < ?", time.Now()).
+		Where("expires_at < ?", time.Now().UTC()).
 		Delete(&Session{})
 	if result.Error != nil {
 		return fmt.Errorf("deleting expired sessions: %w", result.Error)

diff --git a/ui/src/api/hooks/useAdmin.ts b/ui/src/api/hooks/useAdmin.ts
@@ -41,6 +41,7 @@ export interface AdminSession {
   source: string
   expires_at: string
   created_at: string
+  last_active_at: string
 }
 
 export function useSessions() {

diff --git a/ui/src/pages/AdminPage.tsx b/ui/src/pages/AdminPage.tsx
@@ -273,6 +273,7 @@ function SessionsTab() {
               <th className="px-4 py-2">Username</th>
               <th className="px-4 py-2">Source</th>
               <th className="px-4 py-2">Created</th>
+              <th className="px-4 py-2">Last Active</th>
               <th className="px-4 py-2">Expires</th>
               <th className="px-4 py-2 text-right">Actions</th>
             </tr>
@@ -298,6 +299,9 @@ function SessionsTab() {
                 <td className="px-4 py-2 text-gray-500 dark:text-gray-400">
                   {formatTimestamp(s.created_at)}
                 </td>
+                <td className="px-4 py-2 text-gray-500 dark:text-gray-400">
+                  {s.last_active_at ? formatTimestamp(s.last_active_at) : 'Never'}
+                </td>
                 <td className="px-4 py-2 text-gray-500 dark:text-gray-400">
                   {formatTimestamp(s.expires_at)}
                 </td>
@@ -318,7 +322,7 @@ function SessionsTab() {
             ))}
             {sessions.length === 0 && (
               <tr>
-                <td colSpan={5} className="px-4 py-6 text-center text-sm text-gray-500 dark:text-gray-400">
+                <td colSpan={6} className="px-4 py-6 text-center text-sm text-gray-500 dark:text-gray-400">
                   No active sessions
                 </td>
               </tr>