last_used only updates the key that was used

auth.py

@@ -53,8 +53,8 @@ def auth_required(func):
 					await conn.execute(
 						"UPDATE user_session SET last_used = NOW(), "
 						"expires = NOW() + INTERVAL '30 DAYS' "
-						"WHERE user_id = $1",
-						user_id)
+						"WHERE user_id = $1 AND id = $2",
+						user_id, sid)
 				resp.set_cookie(
 					'userid',
 					user_id,

buckler.py

@@ -224,13 +224,11 @@ async def get_session(request):
 	app = await conn.fetchrow("SELECT * FROM app_info WHERE id = $1", app_id)
 	if app:
 		if argon2.verify(app_key, app['key_hash']):
-			sessions = await conn.fetch(
+			session = await conn.fetchrow(
 				"SELECT * FROM user_session "
-				"WHERE user_id = $1 AND expires > NOW()",
-				user_id)
-			session = [s for s in sessions if s.get('id') == user_sid]
+				"WHERE user_id = $1 AND id = $2 AND expires > NOW()",
+				user_id, user_sid)
 			if session:
-				session = session[0]
 				data = await conn.fetchrow(
 					"SELECT user_info.username, app_user.session_data "
 					"FROM user_info LEFT JOIN app_user "
@@ -244,8 +242,8 @@ async def get_session(request):
 					await conn.execute(
 						"UPDATE user_session SET last_used = NOW(), "
 						"expires = NOW() + INTERVAL '30 DAYS' "
-						"WHERE user_id = $1",
-						user_id)
+						"WHERE user_id = $1 AND id = $2",
+						user_id, user_sid)
 				await conn.close()
 
 				data_meta = dict(data)