Move auth session signing into auth_service.login

backend/app/services/auth_service.py

@@ -79,17 +79,19 @@ async def login(
     db: aiosqlite.Connection,
     password: str,
     session_duration_minutes: int,
+    session_secret: str,
     session_repo: SessionRepository = default_session_repo,
-) -> Session:
-    """Verify *password* and create a new session on success.
+) -> tuple[str, str]:
+    """Verify *password*, create a new session, and sign the token.
 
     Args:
         db: Active aiosqlite connection.
         password: Plain-text password supplied by the user.
         session_duration_minutes: How long the new session is valid for.
+        session_secret: Secret used to sign the session token.
 
     Returns:
-        A :class:`~app.models.auth.Session` domain model for the new session.
+        A tuple of the signed session token and its expiry timestamp.
 
     Raises:
         ValueError: If the password is incorrect or no password hash is stored.
@@ -111,8 +113,9 @@ async def login(
     session = await session_repo.create_session(
         db, token=token, created_at=created_iso, expires_at=expires_iso
     )
-    log.info("bangui_login_success", token_prefix=token[:8])
-    return session
+    signed_token = sign_session_token(session.token, session_secret)
+    log.info("bangui_login_success", token_prefix=session.token[:8])
+    return signed_token, session.expires_at
 
 
 async def validate_session(