init

ansible/roles/prosody/files/mod_session_timeout.lua

@@ -0,0 +1,16 @@
+-- Disconnect c2s sessions after a configurable timeout to force re-authentication.
+-- This ensures that expired credentials (e.g. app passwords) are caught promptly.
+
+local timeout = module:get_option_number("session_timeout", 1800); -- default 30 minutes
+
+module:hook("resource-bind", function(event)
+    local session = event.session;
+    if not session then return; end
+
+    session._timeout_timer = module:add_timer(timeout, function()
+        if session.type == "c2s" and not session.destroyed then
+            module:log("info", "Session timeout for %s, forcing re-authentication", session.full_jid);
+            session:close({ condition = "policy-violation", text = "Session expired, please reconnect" });
+        end
+    end);
+end);