delegate rotation

sessions/sessions.go

@@ -86,7 +86,7 @@ func (s *SessionStore[T]) New(sessionMaxAge time.Duration, data T) (string, stri
 	return st, ct, nil
 }
 
-// Validates the session and CSRF tokens, and returns new rotated tokens and session data.
+// Validates the session and CSRF tokens, then rotates the tokens if valid.
 func (s *SessionStore[T]) Validate(st, ct string) (string, string, T, error) {
 	var zero T
 
@@ -111,11 +111,35 @@ func (s *SessionStore[T]) Validate(st, ct string) (string, string, T, error) {
 		return "", "", zero, fmt.Errorf("invalid CSRF token")
 	}
 
-	// Rotate session tokens
+	return s.RotateTokens(st)
+}
+
+// RotateTokens rotates the session and CSRF tokens for a given session token.
+func (s *SessionStore[T]) RotateTokens(st string) (string, string, T, error) {
+	var zero T
+
+	hst := hash(st)
+
+	s.mu.RLock()
+	sess, ok := s.sessions[hst]
+	s.mu.RUnlock()
+
+	if !ok {
+		return "", "", zero, fmt.Errorf("invalid session token")
+	}
+
+	if time.Now().After(sess.expires) {
+		s.mu.Lock()
+		delete(s.sessions, hst)
+		s.mu.Unlock()
+		return "", "", zero, fmt.Errorf("session expired")
+	}
+
 	newSt, err := generateToken(s.tokenLength)
 	if err != nil {
 		return "", "", zero, fmt.Errorf("error generating new session token: %w", err)
 	}
+
 	newCt, err := generateToken(s.tokenLength)
 	if err != nil {
 		return "", "", zero, fmt.Errorf("error generating new CSRF token: %w", err)