npm - alepha - Versions diffs - 0.20.2 → 0.20.4 - Mend

alepha 0.20.2 → 0.20.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (304) hide show

package/README.md +0 -1
package/assets/swagger-ui/swagger-ui-bundle.js +1 -1
package/assets/swagger-ui/swagger-ui.css +1 -1
package/dist/api/audits/index.browser.js +49 -0
package/dist/api/audits/index.browser.js.map +1 -1
package/dist/api/audits/index.js +49 -0
package/dist/api/audits/index.js.map +1 -1
package/dist/api/files/index.js.map +1 -1
package/dist/api/jobs/index.d.ts +2 -61
package/dist/api/jobs/index.d.ts.map +1 -1
package/dist/api/jobs/index.js.map +1 -1
package/dist/api/keys/index.d.ts +4 -4
package/dist/api/keys/index.js.map +1 -1
package/dist/api/notifications/index.d.ts +1 -10
package/dist/api/notifications/index.d.ts.map +1 -1
package/dist/api/parameters/index.browser.js +37 -0
package/dist/api/parameters/index.browser.js.map +1 -1
package/dist/api/parameters/index.d.ts +12 -68
package/dist/api/parameters/index.d.ts.map +1 -1
package/dist/api/parameters/index.js +57 -4
package/dist/api/parameters/index.js.map +1 -1
package/dist/api/payments/index.js.map +1 -1
package/dist/api/users/index.browser.js +6 -0
package/dist/api/users/index.browser.js.map +1 -1
package/dist/api/users/index.d.ts +148 -227
package/dist/api/users/index.d.ts.map +1 -1
package/dist/api/users/index.js +60 -14
package/dist/api/users/index.js.map +1 -1
package/dist/api/verifications/index.d.ts.map +1 -1
package/dist/api/verifications/index.js +2 -1
package/dist/api/verifications/index.js.map +1 -1
package/dist/bucket/index.d.ts +77 -107
package/dist/bucket/index.d.ts.map +1 -1
package/dist/bucket/index.js +153 -5
package/dist/bucket/index.js.map +1 -1
package/dist/bucket/index.workerd.js +12 -2
package/dist/bucket/index.workerd.js.map +1 -1
package/dist/cache/core/index.d.ts +26 -0
package/dist/cache/core/index.d.ts.map +1 -1
package/dist/cache/core/index.js +11 -1
package/dist/cache/core/index.js.map +1 -1
package/dist/cache/core/index.workerd.js +11 -1
package/dist/cache/core/index.workerd.js.map +1 -1
package/dist/captcha/index.js.map +1 -1
package/dist/cli/config/index.d.ts +7 -5
package/dist/cli/config/index.d.ts.map +1 -1
package/dist/cli/config/index.js +2 -3
package/dist/cli/config/index.js.map +1 -1
package/dist/cli/core/index.d.ts +637 -11660
package/dist/cli/core/index.d.ts.map +1 -1
package/dist/cli/core/index.js +707 -532
package/dist/cli/core/index.js.map +1 -1
package/dist/cli/devtools/index.d.ts +4 -8
package/dist/cli/devtools/index.d.ts.map +1 -1
package/dist/cli/devtools/index.js +20 -16
package/dist/cli/devtools/index.js.map +1 -1
package/dist/cli/platform/index.d.ts +51 -77
package/dist/cli/platform/index.d.ts.map +1 -1
package/dist/cli/platform/index.js +65 -15
package/dist/cli/platform/index.js.map +1 -1
package/dist/cli/vendor/index.d.ts +10 -13
package/dist/cli/vendor/index.d.ts.map +1 -1
package/dist/cli/vendor/index.js +30 -12
package/dist/cli/vendor/index.js.map +1 -1
package/dist/command/index.js +1 -1
package/dist/command/index.js.map +1 -1
package/dist/core/index.browser.js +27 -3
package/dist/core/index.browser.js.map +1 -1
package/dist/core/index.d.ts +8 -11
package/dist/core/index.d.ts.map +1 -1
package/dist/core/index.js +27 -3
package/dist/core/index.js.map +1 -1
package/dist/core/index.native.js +27 -3
package/dist/core/index.native.js.map +1 -1
package/dist/core/index.workerd.js +27 -3
package/dist/core/index.workerd.js.map +1 -1
package/dist/crypto/index.js.map +1 -1
package/dist/datetime/index.d.ts +69 -10
package/dist/datetime/index.d.ts.map +1 -1
package/dist/datetime/index.js +135 -13
package/dist/datetime/index.js.map +1 -1
package/dist/email/core/index.js.map +1 -1
package/dist/email/smtp/index.js +130 -16
package/dist/email/smtp/index.js.map +1 -1
package/dist/fake/index.js.map +1 -1
package/dist/lock/core/index.d.ts +30 -2
package/dist/lock/core/index.d.ts.map +1 -1
package/dist/lock/core/index.js +35 -12
package/dist/lock/core/index.js.map +1 -1
package/dist/lock/redis/index.js.map +1 -1
package/dist/logger/index.js +32 -1
package/dist/logger/index.js.map +1 -1
package/dist/mcp/index.d.ts +238 -31
package/dist/mcp/index.d.ts.map +1 -1
package/dist/mcp/index.js +198 -67
package/dist/mcp/index.js.map +1 -1
package/dist/orm/core/index.browser.js +2 -362
package/dist/orm/core/index.browser.js.map +1 -1
package/dist/orm/core/index.bun.js +18 -409
package/dist/orm/core/index.bun.js.map +1 -1
package/dist/orm/core/index.d.ts +41 -194
package/dist/orm/core/index.d.ts.map +1 -1
package/dist/orm/core/index.js +27 -422
package/dist/orm/core/index.js.map +1 -1
package/dist/orm/postgres/index.bun.js +17 -20
package/dist/orm/postgres/index.bun.js.map +1 -1
package/dist/orm/postgres/index.d.ts +1 -5
package/dist/orm/postgres/index.d.ts.map +1 -1
package/dist/orm/postgres/index.js +17 -20
package/dist/orm/postgres/index.js.map +1 -1
package/dist/react/core/index.d.ts +102 -1
package/dist/react/core/index.d.ts.map +1 -1
package/dist/react/core/index.js +65 -1
package/dist/react/core/index.js.map +1 -1
package/dist/react/form/index.d.ts +6 -0
package/dist/react/form/index.d.ts.map +1 -1
package/dist/react/form/index.js +7 -7
package/dist/react/form/index.js.map +1 -1
package/dist/react/i18n/index.d.ts +7 -1
package/dist/react/i18n/index.d.ts.map +1 -1
package/dist/react/i18n/index.js +6 -0
package/dist/react/i18n/index.js.map +1 -1
package/dist/react/intro/index.js +22 -17
package/dist/react/intro/index.js.map +1 -1
package/dist/react/router/index.browser.js +98 -4
package/dist/react/router/index.browser.js.map +1 -1
package/dist/react/router/index.d.ts +58 -5
package/dist/react/router/index.d.ts.map +1 -1
package/dist/react/router/index.js +122 -6
package/dist/react/router/index.js.map +1 -1
package/dist/react/testing/{chunk-DBEY4PJZ.js → chunk-6Ep1yQYe.js} +1 -1
package/dist/react/testing/index.js +1 -1
package/dist/react/testing/index.js.map +1 -1
package/dist/react/ui/index.d.ts +195 -1
package/dist/react/ui/index.d.ts.map +1 -1
package/dist/react/ui/index.js +64 -1
package/dist/react/ui/index.js.map +1 -1
package/dist/react/websocket/index.js.map +1 -1
package/dist/redis/index.js.map +1 -1
package/dist/scheduler/index.d.ts +1 -2
package/dist/scheduler/index.d.ts.map +1 -1
package/dist/scheduler/index.js +1 -1
package/dist/scheduler/index.js.map +1 -1
package/dist/scheduler/index.workerd.js +1 -1
package/dist/scheduler/index.workerd.js.map +1 -1
package/dist/security/index.browser.js.map +1 -1
package/dist/security/index.d.ts.map +1 -1
package/dist/security/index.js +2 -2
package/dist/security/index.js.map +1 -1
package/dist/server/auth/index.d.ts.map +1 -1
package/dist/server/auth/index.js +24 -10
package/dist/server/auth/index.js.map +1 -1
package/dist/server/cookies/index.js.map +1 -1
package/dist/server/core/index.browser.js +10 -3
package/dist/server/core/index.browser.js.map +1 -1
package/dist/server/core/index.d.ts +1 -4
package/dist/server/core/index.d.ts.map +1 -1
package/dist/server/core/index.js +47 -9
package/dist/server/core/index.js.map +1 -1
package/dist/server/links/index.browser.js.map +1 -1
package/dist/server/links/index.js.map +1 -1
package/dist/server/metrics/index.js +19 -1
package/dist/server/metrics/index.js.map +1 -1
package/dist/server/rate-limit/index.js.map +1 -1
package/dist/server/static/index.js.map +1 -1
package/dist/server/swagger/index.d.ts.map +1 -1
package/dist/server/swagger/index.js +4 -5
package/dist/server/swagger/index.js.map +1 -1
package/dist/sms/index.js.map +1 -1
package/dist/system/index.browser.js.map +1 -1
package/dist/system/index.js.map +1 -1
package/dist/system/index.workerd.js.map +1 -1
package/dist/topic/core/index.js.map +1 -1
package/dist/websocket/index.browser.js +32 -5
package/dist/websocket/index.browser.js.map +1 -1
package/dist/websocket/index.d.ts +3 -1
package/dist/websocket/index.d.ts.map +1 -1
package/dist/websocket/index.js +42 -6
package/dist/websocket/index.js.map +1 -1
package/package.json +685 -274
package/src/api/files/__tests__/FileController.spec.ts +1 -1
package/src/api/jobs/__tests__/$job.spec.ts +5 -1
package/src/api/parameters/services/ParameterProvider.ts +21 -4
package/src/api/users/__tests__/SessionService.spec.ts +99 -0
package/src/api/users/__tests__/UserJobs.spec.ts +67 -0
package/src/api/users/atoms/realmAuthSettingsAtom.ts +15 -0
package/src/api/users/entities/sessions.ts +6 -0
package/src/api/users/jobs/UserJobs.ts +44 -17
package/src/api/users/providers/RealmProvider.ts +4 -0
package/src/api/users/schemas/userQuerySchema.ts +0 -1
package/src/api/users/services/SessionService.ts +27 -0
package/src/api/users/services/UserService.ts +1 -5
package/src/api/verifications/__tests__/CodeVerification.spec.ts +14 -0
package/src/api/verifications/__tests__/LinkVerification.spec.ts +14 -0
package/src/api/verifications/services/VerificationService.ts +1 -0
package/src/bucket/__tests__/NodeS3BucketProvider.spec.ts +74 -0
package/src/bucket/index.ts +19 -2
package/src/bucket/primitives/$bucket.ts +9 -1
package/src/bucket/providers/CloudflareR2Provider.ts +2 -137
package/src/bucket/providers/NodeS3BucketProvider.ts +218 -0
package/src/cache/core/index.ts +29 -0
package/src/cache/core/primitives/$cache.ts +14 -1
package/src/cli/config/defineConfig.ts +13 -15
package/src/cli/core/__tests__/init.spec.ts +214 -7
package/src/cli/core/commands/init.ts +12 -0
package/src/cli/core/services/PackageManagerUtils.ts +23 -6
package/src/cli/core/services/ProjectScaffolder.ts +315 -33
package/src/cli/core/tasks/BuildCloudflareTask.ts +5 -0
package/src/cli/core/tasks/BuildDockerTask.ts +9 -10
package/src/cli/core/tasks/BuildServerTask.ts +8 -0
package/src/cli/core/templates/agentMd.ts +2 -10
package/src/cli/core/templates/apiIndexTs.ts +23 -1
package/src/cli/core/templates/componentsJsonTs.ts +39 -0
package/src/cli/core/templates/mainCss.ts +1 -0
package/src/cli/core/templates/saasAdminLayoutTsx.ts +77 -0
package/src/cli/core/templates/saasAdminPagesTsx.ts +26 -0
package/src/cli/core/templates/saasAuthLayoutTsx.ts +20 -0
package/src/cli/core/templates/saasAuthPagesTsx.ts +62 -0
package/src/cli/core/templates/saasRealmProviderTs.ts +46 -0
package/src/cli/core/templates/webAppRouterTs.ts +104 -1
package/src/cli/core/templates/webIndexTs.ts +23 -1
package/src/cli/devtools/index.ts +12 -26
package/src/cli/platform/__tests__/SecretsCommand.spec.ts +2 -0
package/src/cli/platform/index.ts +15 -24
package/src/cli/vendor/atoms/vendorOptions.ts +1 -1
package/src/cli/vendor/index.ts +14 -23
package/src/command/providers/CliProvider.ts +1 -1
package/src/core/Alepha.ts +11 -1
package/src/core/helpers/ref.ts +18 -0
package/src/core/index.shared.ts +1 -0
package/src/core/interfaces/Service.ts +3 -1
package/src/core/providers/SchemaValidator.ts +9 -1
package/src/core/providers/TypeProvider.ts +2 -3
package/src/datetime/REFACTORING.md +118 -0
package/src/datetime/providers/DateTimeProvider.ts +203 -24
package/src/lock/core/index.ts +31 -0
package/src/lock/core/primitives/$lock.ts +14 -1
package/src/logger/services/Logger.ts +1 -1
package/src/mcp/__tests__/$resource.spec.ts +1 -1
package/src/mcp/__tests__/$tool.spec.ts +1 -1
package/src/mcp/__tests__/McpServerProvider.spec.ts +1 -1
package/src/mcp/__tests__/jsonrpc.spec.ts +1 -1
package/src/mcp/helpers/jsonrpc.ts +26 -1
package/src/mcp/index.ts +10 -5
package/src/mcp/interfaces/McpTypes.ts +83 -6
package/src/mcp/primitives/$prompt.ts +18 -1
package/src/mcp/primitives/$resource.ts +18 -1
package/src/mcp/primitives/$tool.ts +83 -7
package/src/mcp/providers/McpServerProvider.ts +74 -16
package/src/mcp/transports/StreamableHttpMcpTransport.ts +226 -0
package/src/orm/REFACTORING.md +330 -0
package/src/orm/__tests__/$repository-tests.ts +1 -0
package/src/orm/__tests__/orm-next-tests.ts +2 -67
package/src/orm/__tests__/orm-next.spec.ts +0 -21
package/src/orm/core/index.shared.ts +0 -2
package/src/orm/core/index.ts +1 -2
package/src/orm/core/primitives/$repository.ts +3 -6
package/src/orm/core/primitives/$transactional.ts +11 -0
package/src/orm/core/providers/drivers/DatabaseProvider.ts +0 -5
package/src/orm/core/providers/drivers/NodeSqliteProvider.ts +11 -13
package/src/orm/core/schemas/updateSchema.ts +1 -1
package/src/orm/core/services/ModelBuilder.ts +1 -13
package/src/orm/core/services/PgRelationManager.ts +4 -2
package/src/orm/core/services/Repository.ts +1 -42
package/src/orm/core/services/SqliteModelBuilder.ts +2 -33
package/src/orm/postgres/services/PostgresModelBuilder.ts +10 -45
package/src/react/core/__tests__/useQuery.browser.spec.tsx +86 -0
package/src/react/core/hooks/useQuery.ts +153 -0
package/src/react/core/index.ts +1 -0
package/src/react/form/services/FormModel.ts +15 -6
package/src/react/form/services/parseField.ts +8 -0
package/src/react/i18n/providers/I18nProvider.ts +8 -2
package/src/react/intro/components/GettingStartedAuthSlide.tsx +11 -4
package/src/react/router/__tests__/$page.spec.tsx +0 -16
package/src/react/router/__tests__/ReactBrowserProvider.browser.spec.ts +213 -2
package/src/react/router/__tests__/ssr.spec.tsx +339 -0
package/src/react/router/primitives/$page.ts +28 -4
package/src/react/router/providers/ReactBrowserProvider.ts +73 -0
package/src/react/router/providers/ReactBrowserRouterProvider.ts +1 -1
package/src/react/router/providers/ReactPageProvider.ts +27 -9
package/src/react/router/providers/ReactPreloadProvider.ts +1 -1
package/src/react/router/providers/ReactServerProvider.ts +1 -0
package/src/react/ui/atoms/uiThemeListAtom.ts +36 -0
package/src/react/ui/index.ts +6 -0
package/src/react/ui/services/SchemaControl.ts +209 -0
package/src/scheduler/providers/CronProvider.ts +1 -1
package/src/security/primitives/$basicAuth.ts +1 -1
package/src/security/primitives/$issuer.ts +6 -3
package/src/server/auth/providers/ServerAuthProvider.ts +5 -1
package/src/server/core/__tests__/ServerRouterProvider-serializationError.spec.ts +75 -0
package/src/server/core/__tests__/ServerRouterProvider-validationError.spec.ts +306 -0
package/src/server/core/errors/ValidationError.ts +13 -1
package/src/server/core/interfaces/ServerRequest.ts +1 -0
package/src/server/core/primitives/$action.ts +16 -5
package/src/server/core/providers/ServerProvider.ts +1 -1
package/src/server/core/providers/ServerRouterProvider.ts +28 -6
package/src/server/core/services/HttpClient.ts +1 -1
package/src/server/swagger/providers/ServerSwaggerProvider.ts +6 -8
package/src/websocket/providers/NodeWebSocketServerProvider.ts +10 -4
package/src/websocket/services/WebSocketClient.ts +11 -5
package/src/mcp/transports/SseMcpTransport.ts +0 -182
package/src/orm/core/__tests__/parseQueryString.spec.ts +0 -196
package/src/orm/core/helpers/parseQueryString.ts +0 -502
package/src/orm/core/primitives/$view.ts +0 -88

package/dist/api/users/index.js CHANGED Viewed

@@ -3,7 +3,7 @@ import { AuditService } from "alepha/api/audits";
 import { $bucket } from "alepha/bucket";
 import { $issuer, $permission, $secure, CryptoProvider, InvalidCredentialsError, SecurityProvider } from "alepha/security";
 import { $action, BadRequestError, ConflictError, HttpError, UnauthorizedError, okSchema } from "alepha/server";
-import { $entity, $repository, db, pageQuerySchema, parseQueryString, sql } from "alepha/orm";
+import { $entity, $repository, db, pageQuerySchema, sql } from "alepha/orm";
 import { $logger } from "alepha/logger";
 import { $client } from "alepha/server/links";
 import { $notification } from "alepha/api/notifications";
@@ -202,7 +202,11 @@ const realmAuthSettingsAtom = $atom({
 				default: 900 * 1e3,
 				minimum: 1e3
 			})
-		})
+		}),
+		refreshToken: t.object({ expirationIdle: t.optional(t.integer({
+			description: "Maximum time in milliseconds a refresh token may stay unused before being invalidated. When set, sessions whose last refresh is older than this window are rejected and deleted, even if the absolute `expiresAt` has not been reached. Recommended for SaaS auth posture (SOC2/ISO27001). Leave undefined to disable idle invalidation (default).",
+			minimum: 1e3
+		})) })
 	}),
 	default: {
 		registrationAllowed: true,
@@ -229,7 +233,8 @@ const realmAuthSettingsAtom = $atom({
 			ipMaxAttempts: 15,
 			accountMaxAttempts: 5,
 			windowMs: 900 * 1e3
-		}
+		},
+		refreshToken: {}
 	}
 });
 //#endregion
@@ -244,6 +249,12 @@ const sessions = $entity({
 		refreshToken: t.uuid(),
 		userId: db.ref(t.uuid(), () => users.cols.id),
 		expiresAt: t.datetime(),
+		/**
+		* Last time the session was used to refresh an access token.
+		* Used by realm `refreshToken.expirationIdle` to invalidate idle sessions.
+		* `null` on existing rows pre-migration — falls back to `createdAt`.
+		*/
+		lastUsedAt: t.optional(t.datetime()),
 		ip: t.optional(t.text()),
 		userAgent: t.optional(t.object({
 			os: t.text(),
@@ -300,6 +311,10 @@ var RealmProvider = class {
 				loginRateLimit: {
 					...realmAuthSettingsAtom.options.default.loginRateLimit,
 					...realmOptions.settings?.loginRateLimit
+				},
+				refreshToken: {
+					...realmAuthSettingsAtom.options.default.refreshToken,
+					...realmOptions.settings?.refreshToken
 				}
 			},
 			features,
@@ -628,8 +643,7 @@ const userQuerySchema = t.extend(pageQuerySchema, {
 	email: t.optional(t.string()),
 	enabled: t.optional(t.boolean()),
 	emailVerified: t.optional(t.boolean()),
-	roles: t.optional(t.array(t.string())),
-	query: t.optional(t.text())
+	roles: t.optional(t.array(t.string()))
 });
 //#endregion
 //#region ../../src/api/users/schemas/userResourceSchema.ts
@@ -940,7 +954,6 @@ var UserService = class {
 		if (q.enabled !== void 0) where.enabled = { eq: q.enabled };
 		if (q.emailVerified !== void 0) where.emailVerified = { eq: q.emailVerified };
 		if (q.roles) where.roles = { arrayContains: q.roles };
-		if (q.query) Object.assign(where, parseQueryString(q.query));
 		const result = await this.users(userRealmName).paginate(q, { where }, { count: true });
 		this.log.debug("Users found", {
 			count: result.content.length,
@@ -2104,10 +2117,18 @@ var UserJobs = class {
 	log = $logger();
 	dateTimeProvider = $inject(DateTimeProvider);
 	sessionRepository = $repository(sessions);
+	realmProvider = $inject(RealmProvider);
 	/**
 	* Purge expired sessions from the database.
 	*
-	* Runs hourly (at :00) and deletes sessions whose `expiresAt` has passed.
+	* Runs hourly (at :00) and deletes:
+	* - sessions whose absolute `expiresAt` has passed
+	* - sessions whose `lastUsedAt` exceeds the realm's `refreshToken.expirationIdle`
+	*   (when configured). Falls back to `createdAt` for sessions without a
+	*   recorded `lastUsedAt`.
+	*
+	* The idle sweep is best-effort cleanup — runtime enforcement happens in
+	* `SessionService.refreshSession()`.
 	*/
 	purgeExpiredSessions = $job({
 		name: "api:users:purgeExpiredSessions",
@@ -2115,14 +2136,22 @@ var UserJobs = class {
 		handler: async () => {
 			const now = this.dateTimeProvider.nowISOString();
 			this.log.info("Starting expired sessions purge", { cutoffTime: now });
-			const expiredSessions = await this.sessionRepository.findMany({ where: { expiresAt: { lt: now } } });
-			if (expiredSessions.length === 0) {
-				this.log.info("No expired sessions found");
-				return;
+			const absoluteDeletedIds = await this.sessionRepository.deleteMany({ expiresAt: { lt: now } });
+			if (absoluteDeletedIds.length > 0) this.log.info("Expired sessions purged (absolute)", { deletedCount: absoluteDeletedIds.length });
+			const idleMs = (await this.realmProvider.getRealm().getSettings()).refreshToken?.expirationIdle;
+			if (idleMs && idleMs > 0) {
+				const cutoff = this.dateTimeProvider.now().subtract(idleMs, "milliseconds").toISOString();
+				const lastUsedDeletedIds = await this.sessionRepository.deleteMany({ lastUsedAt: { lt: cutoff } });
+				const fallbackDeletedIds = await this.sessionRepository.deleteMany({
+					lastUsedAt: { isNull: true },
+					createdAt: { lt: cutoff }
+				});
+				const idleTotal = lastUsedDeletedIds.length + fallbackDeletedIds.length;
+				if (idleTotal > 0) this.log.info("Expired sessions purged (idle)", {
+					deletedCount: idleTotal,
+					thresholdMs: idleMs
+				});
 			}
-			this.log.info("Found expired sessions", { count: expiredSessions.length });
-			const deletedIds = await this.sessionRepository.deleteMany({ expiresAt: { lt: now } });
-			this.log.info("Expired sessions purged successfully", { deletedCount: deletedIds.length });
 		}
 	});
 };
@@ -2453,6 +2482,7 @@ var SessionService = class SessionService {
 		const session = await this.sessions(userRealmName).create({
 			userId: user.id,
 			expiresAt,
+			lastUsedAt: this.dateTimeProvider.nowISOString(),
 			ip: request?.ip,
 			userAgent: request?.userAgent,
 			refreshToken
@@ -2480,6 +2510,21 @@ var SessionService = class SessionService {
 			await this.sessions(userRealmName).deleteById(session.id);
 			throw new UnauthorizedError("Session expired");
 		}
+		const idleMs = (await this.realmProvider.getRealm(userRealmName).getSettings()).refreshToken?.expirationIdle;
+		if (idleMs && idleMs > 0) {
+			const lastUsedRef = session.lastUsedAt ?? session.createdAt;
+			const idleSince = now.diff(this.dateTimeProvider.of(lastUsedRef));
+			if (idleSince > idleMs) {
+				this.log.info("Session expired (idle timeout)", {
+					sessionId: session.id,
+					userId: session.userId,
+					idleMs: idleSince,
+					thresholdMs: idleMs
+				});
+				await this.sessions(userRealmName).deleteById(session.id);
+				throw new UnauthorizedError("Session expired");
+			}
+		}
 		const user = await this.users(userRealmName).getOne({ where: { id: { eq: session.userId } } });
 		if (!user.enabled) {
 			this.log.warn("Session refresh for disabled account", {
@@ -2490,6 +2535,7 @@ var SessionService = class SessionService {
 			throw new UnauthorizedError("Account disabled");
 		}
 		await this.ensureAdminRole(user, userRealmName);
+		await this.sessions(userRealmName).updateById(session.id, { lastUsedAt: now.toISOString() });
 		this.log.debug("Session refreshed", {
 			sessionId: session.id,
 			userId: session.userId