-- Disconnect c2s sessions after a configurable timeout to force re-authentication.
-- This ensures that expired credentials (e.g. app passwords) are caught promptly.

local timeout = module:get_option_number("session_timeout", 1800); -- default 30 minutes

module:hook("resource-bind", function(event)
    local session = event.session;
    if not session then return; end

    session._timeout_timer = module:add_timer(timeout, function()
        if session.type == "c2s" and not session.destroyed then
            module:log("info", "Session timeout for %s, forcing re-authentication", session.full_jid);
            session:close({ condition = "policy-violation", text = "Session expired, please reconnect" });
        end
    end);
end);