Hey Jayce! Good stuff here, but be sure to double check the vulnerability checklist.
Since you are storing session tokens in a database, check out these items:
58. Use the server or framework’s session management controls. The application should only recognize these session identifiers as valid
67. Generate a new session identifier on any re-authentication
75. Set the "secure" attribute for cookies transmitted over an TLS connection

Some of this may not be 100% relevant for you, but be sure to double check the Session Management section.