For anyone following along at home, @sam’s suggested approach was pretty simple to implement:
The crux of the solution is a find_or_create method on the extra auth token data model, which takes a user’s session and cookies returns the extra data, creating the record and clearing the session if need-be.
This approach is necessary because the Authenticator doesn’t have access to a user’s cookies, only their session, so that extra data has to be placed there at login, and then written to db on the first request after a user has been authenticated. The nice thing about this method is it migrates existing sessions to the new store without requiring users to re-authenticate.
I briefly considered storing this extra data in both the session cookie and the db, and only fetching it from db when the session cookie had been cleared, but it seemed like more complexity than it was worth for only avoiding one extra (pretty quick) SQL query each request.