🐛 Issue Reference

Fixes supabase/auth issue #2270 — *"missing destination name refresh_token_hmac_key in models.Session" during session refresh on iOS (Swift SDK).

📘 Summary

This PR adds the missing refresh_token_hmac_key field to the models.Session struct with the correct db:"refresh_token_hmac_key" tag. The Supabase Auth server returns this column in queries, but the Go model previously lacked the corresponding destination field, causing scan errors:

500: missing destination name refresh_token_hmac_key in *models.Session

Adding this field ensures the database scanner can correctly bind the column, resolving refresh session failures in Swift and other clients.

✅ Changes Included

• Added RefreshTokenHmacKey *string \db:"refresh_token_hmac_key"``tomodels.Session.
• Ensured struct now matches the schema of auth.sessions table.

🔍 Root Cause

The auth.sessions table includes a column named refresh_token_hmac_key.
However, models.Session did not include the corresponding field, resulting in a mismatched struct during DB row scan and triggering the scanning error.

🧪 Testing

• Verified no duplicate Session structs exist using git grep.
• Confirmed that scanning a row from auth.sessions into the updated struct completes without errors.
• Manual test: refreshed session after 1 hour; no 500 errors observed.

📦 Deployment Notes

• Requires rebuild and redeploy of Supabase Auth service.
• After deployment, session refresh via /token endpoint functions normally.

📄 Checklist

• Field added to models.Session with correct database tag.
• Code compiles successfully.
• Integration test / manual test for scanning sessions.
• PR linked to issue Supabase Swift auth says refresh_token_hmac_key doesn't exist and causing refresh session errors #2270 .
• No breaking changes introduced.