is: Add user session expiry configuration

[vlasebian]

Summary

• Adds configurable user session TTL on the Identity Server via is.user-login.session-ttl. Default 0 preserves the current "never expire" behavior.

When set to a non-zero duration:

• sessions created at login persist with ExpiresAt = now + TTL
• the auth cookie is issued with a matching Max-Age
• OAuth access tokens (and refresh requests) linked to a session are rejected once the session has expired — closing the Console API path that would otherwise stay usable for up to the 1 h access-token TTL.

Testing

Steps

1. Start the stack with TTN_LW_IS_USER_LOGIN_SESSION_TTL=1h (or is.user-login.session-ttl: 1h in the config).
2. Log in via the Console or /oauth/api/auth/login. Inspect the _session cookie — Max-Age should be 3600.
3. Query the DB: SELECT expires_at FROM user_sessions ORDER BY created_at DESC LIMIT 1; — should be ≈ now() + 1h.
4. Advance the clock past expiry (or wait / shorten TTL to a few seconds) and retry a request using the same cookie — expect session_expired.
5. Restart with TTL unset / 0 and confirm new sessions persist expires_at = NULL and the cookie has no Max-Age (browser-session cookie). This matches pre-PR behavior.

Regressions

• Login flows (password, token-login) for Console and OAuth: unchanged when TTL=0 (default).
• OAuth authorize/logout paths: continue to read the same session cookie; both servers now produce cookies with identical Max-Age to avoid drift.
• Existing long-lived sessions created before rollout remain valid indefinitely.

Notes for Reviewers

None.

Checklist

• Scope: The referenced issue is addressed, there are no unrelated changes.
• Compatibility: The changes are backwards compatible with existing API, storage, configuration and CLI, according to the compatibility commitments in README.md for the chosen target branch.
• Documentation: Relevant documentation is added or updated. (Follow-up in lorawan-stack-docs.)
• Testing: The steps/process to test this feature are clearly explained including testing for regressions.
• Infrastructure: If infrastructural changes (e.g., new RPC, configuration) are needed, a separate issue is created in the infrastructural repositories.
• Changelog: Significant features, behavior changes, deprecations and fixes are added to CHANGELOG.md.
• Commits: Commit messages follow guidelines in CONTRIBUTING.md, there are no fixup commits left.

[Copilot]

Pull request overview

Adds configurable user-login session expiry (TTL) to the Identity Server, aligning DB session expiry and auth cookie lifetime, and enforcing session expiry when exchanging/using OAuth tokens.

Changes:

• Introduces is.user-login.session-ttl config and wires it into OAuth/Account server runtime config.
• Persists session ExpiresAt on login when TTL > 0 and issues cookies with matching Max-Age.
• Rejects refresh-token exchange (OAuth server) and access-token authentication (Identity Server) when the linked session is expired; adds tests and changelog entry.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/oauth/storage.go	Adds session-expiry enforcement during refresh-token loading.
pkg/oauth/server_test.go	Extends token-exchange tests to cover expired-session refresh behavior.
pkg/oauth/server.go	Configures session cookie Max-Age via shared login TTL.
pkg/oauth/config.go	Adds internal LoginConfig to carry session TTL from IS.
pkg/identityserver/identityserver.go	Wires IS user-login.session-ttl into OAuth/Account server config.
pkg/identityserver/entity_access.go	Rejects OAuth access tokens when the linked user session is expired/missing.
pkg/identityserver/config.go	Adds is.user-login.session-ttl configuration knob.
pkg/account/user.go	Sets UserSession.ExpiresAt at session creation when TTL > 0.
pkg/account/session/session.go	Adds cookie max-age support to the session helper.
pkg/account/server_test.go	Adds test for session ExpiresAt persistence + _session cookie Max-Age.
pkg/account/server.go	Configures Account session cookie Max-Age via shared login TTL.
CHANGELOG.md	Documents the new configurable session TTL behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new error:pkg/oauth:session_expired Japanese translation is an empty string. In the Web UI locale loader, an empty string is treated as an explicit translation, so users will see a blank error message instead of falling back to the default message. Please provide a Japanese translation (e.g., consistent with error:pkg/account/session:session_expired) or remove the key so fallback behavior applies.

Suggested change

	"error:pkg/oauth:session_expired": "",
	"error:pkg/oauth:session_expired": "セッション有効期間切れ",

[nicholaspcr]

LGTM.

---

Since there is no tracking issue for this PR, its probably worth having it noted in another issue (maybe the internal issue to organize deployments) to test this in staging.

[vlasebian]

Since there is no tracking issue for this PR, its probably worth having it noted in another issue (maybe the internal issue to organize deployments) to test this in staging.

Good point, I think it's best to create a tracking issue specifically for this. I will link this PR to it.