How Login Authentication and Session Resolution Works

Source: autosoft-workshop/app/controllers/application_controller.rb, sessions_controller.rb

Session is resolved in strict priority order: cookies first, then URL params, then alt_id fallback
"Signed in on another device" detection works by checking UserLog for an active session belonging to a different session token
Session validity requires a triple check: session must be active, session must not be expired, AND user must be active — failure on any one logs the user out
last_access timestamp only updates if more than CONFIG minutes have passed since previous update — rapid requests within that window do NOT extend the session
Phantom "Invalid Session" logout events in logs are system-generated cleanup operations, not real user logouts
Old mobile app (pre-Expo) login is permanently blocked — server returns a redirect to download the new app
Fulcrum login is restricted to a single admin user per company — other users cannot authenticate via Fulcrum
QBO (QuickBooks Online) SSO token has a 5-minute expiry window, is single-use, and must match exactly one company — multiple matches or expired tokens fail silently

"I keep getting logged out for no reason" → rapid requests within the CONFIG window don't update last_access, so session expires sooner than expected
"It says I'm signed in on another device but I'm not" → previous session wasn't cleaned up, UserLog still shows it as active
"I got 'Invalid Session' in the logs but no one reported a problem" → system-generated cleanup event, not a real user logout
"Old app won't let me log in" → legacy mobile app is permanently blocked, customer needs to download the new app from the app store
"QBO login failed" → token expired (>5 minutes), was already used, or user belongs to multiple companies