auth-vir 2.5.0 → 2.7.0

package/dist/auth-client/backend-auth.client.d.ts

@@ -103,12 +103,18 @@ export type BackendAuthClientConfig<DatabaseUser extends AnyObject, UserId exten
      */
     userSessionIdleTimeout: Readonly<AnyDuration>;
     /**
-     * How long before a user's session times out when we should start trying to refresh their
-     * session.
+     * How long into a user's session when we should start trying to refresh their session.
      *
-     * @default {minutes: 10}
+     * @default {minutes: 2}
      */
-    sessionRefreshThreshold: Readonly<AnyDuration>;
+    sessionRefreshTimeout: Readonly<AnyDuration>;
+    /**
+     * The maximum duration a session can last, regardless of activity. After this time, the
+     * user will be logged out even if they are actively using the application.
+     *
+     * @default {weeks: 2}
+     */
+    maxSessionDuration: Readonly<AnyDuration>;
     overrides: PartialWithUndefined<{
         csrfHeaderName: CsrfHeaderName;
         assumedUserHeaderName: string;

package/dist/auth-client/backend-auth.client.js

@@ -1,14 +1,18 @@
 import { ensureArray, } from '@augment-vir/common';
-import { calculateRelativeDate, getNowInUtcTimezone, isDateAfter } from 'date-vir';
+import { calculateRelativeDate, createUtcFullDate, getNowInUtcTimezone, isDateAfter, negateDuration, } from 'date-vir';
 import { extractUserIdFromRequestHeaders, generateLogoutHeaders, generateSuccessfulLoginHeaders, insecureExtractUserIdFromCookieAlone, } from '../auth.js';
 import { AuthCookieName } from '../cookie.js';
 import { AuthHeaderName, mergeHeaderValues } from '../headers.js';
 import { parseJwtKeys } from '../jwt/jwt-keys.js';
+import { authLog } from '../log.js';
 const defaultSessionIdleTimeout = {
     minutes: 20,
 };
-const defaultSessionRefreshThreshold = {
-    minutes: 10,
+const defaultSessionRefreshTimeout = {
+    minutes: 2,
+};
+const defaultMaxSessionDuration = {
+    weeks: 2,
 };
 /**
  * An auth client for creating and validating JWTs embedded in cookies. This should only be used in
@@ -60,8 +64,33 @@ export class BackendAuthClient {
             relativeTo: userIdResult.jwtExpiration,
         });
         if (isExpiredAlready) {
+            authLog('auth-vir: SESSION EXPIRED - JWT already expired, user will be logged out', {
+                userId: userIdResult.userId,
+                jwtExpiration: userIdResult.jwtExpiration,
+            });
             return undefined;
         }
+        /**
+         * Check if the session has exceeded the max session duration. If so, don't refresh the
+         * session and let it expire naturally.
+         */
+        const maxSessionDuration = this.config.maxSessionDuration || defaultMaxSessionDuration;
+        if (userIdResult.sessionStartedAt) {
+            const sessionStartDate = createUtcFullDate(userIdResult.sessionStartedAt);
+            const maxSessionEndDate = calculateRelativeDate(sessionStartDate, maxSessionDuration);
+            const isSessionExpired = isDateAfter({
+                fullDate: now,
+                relativeTo: maxSessionEndDate,
+            });
+            if (isSessionExpired) {
+                authLog('auth-vir: SESSION EXPIRED - max session duration exceeded, user will be logged out', {
+                    userId: userIdResult.userId,
+                    sessionStartedAt: userIdResult.sessionStartedAt,
+                    maxSessionDuration,
+                });
+                return undefined;
+            }
+        }
         /**
          * This check performs the following: the current time + the refresh threshold > JWT
          * expiration.
@@ -77,9 +106,10 @@ export class BackendAuthClient {
          * - Y = JWT expiration within the refresh threshold: {@link isRefreshReady} = true.
          * - Z = JWT expiration outside the refresh threshold: {@link isRefreshReady} = false.
          */
+        const sessionRefreshTimeout = this.config.sessionRefreshTimeout || defaultSessionRefreshTimeout;
         const isRefreshReady = isDateAfter({
-            fullDate: calculateRelativeDate(now, this.config.sessionRefreshThreshold || defaultSessionRefreshThreshold),
-            relativeTo: userIdResult.jwtExpiration,
+            fullDate: now,
+            relativeTo: calculateRelativeDate(userIdResult.jwtExpiration, negateDuration(sessionRefreshTimeout)),
         });
         if (isRefreshReady) {
             return this.createLoginHeaders({
@@ -116,6 +146,7 @@ export class BackendAuthClient {
     async getSecureUser({ requestHeaders, isSignUpCookie, allowUserAuthRefresh, }) {
         const userIdResult = await extractUserIdFromRequestHeaders(requestHeaders, await this.getJwtParams(), isSignUpCookie ? AuthCookieName.SignUp : AuthCookieName.Auth, this.config.overrides);
         if (!userIdResult) {
+            authLog('auth-vir: getSecureUser failed - could not extract user from request');
             return undefined;
         }
         const user = await this.getDatabaseUser({
@@ -124,6 +155,9 @@ export class BackendAuthClient {
             isSignUpCookie,
         });
         if (!user) {
+            authLog('auth-vir: getSecureUser failed - user not found in database', {
+                userId: userIdResult.userId,
+            });
             return undefined;
         }
         const assumedUser = await this.getAssumedUser({
@@ -161,6 +195,10 @@ export class BackendAuthClient {
     }
     /** Use these headers to log out the user. */
     async createLogoutHeaders(params) {
+        authLog('auth-vir: LOGOUT - BackendAuthClient.createLogoutHeaders called', {
+            allCookies: 'allCookies' in params ? params.allCookies : undefined,
+            isSignUpCookie: 'isSignUpCookie' in params ? params.isSignUpCookie : undefined,
+        }, new Error().stack);
         const signUpCookieHeaders = params.allCookies || params.isSignUpCookie
             ? generateLogoutHeaders(await this.getCookieParams({
                 isSignUpCookie: true,
@@ -195,10 +233,12 @@ export class BackendAuthClient {
                 requestHeaders,
             }), this.config.overrides)
             : undefined;
+        const existingUserIdResult = await extractUserIdFromRequestHeaders(requestHeaders, await this.getJwtParams(), isSignUpCookie ? AuthCookieName.SignUp : AuthCookieName.Auth, this.config.overrides);
+        const sessionStartedAt = existingUserIdResult?.sessionStartedAt;
         const newCookieHeaders = await generateSuccessfulLoginHeaders(userId, await this.getCookieParams({
             isSignUpCookie,
             requestHeaders,
-        }), this.config.overrides);
+        }), this.config.overrides, sessionStartedAt);
         return {
             ...newCookieHeaders,
             'set-cookie': mergeHeaderValues(newCookieHeaders['set-cookie'], discardOppositeCookieHeaders?.['set-cookie']),
@@ -228,6 +268,7 @@ export class BackendAuthClient {
         // eslint-disable-next-line @typescript-eslint/no-deprecated
         const userIdResult = await insecureExtractUserIdFromCookieAlone(requestHeaders, await this.getJwtParams(), AuthCookieName.Auth);
         if (!userIdResult) {
+            authLog('auth-vir: getInsecureUser failed - could not extract user from request');
             return undefined;
         }
         const user = await this.getDatabaseUser({
@@ -236,6 +277,9 @@ export class BackendAuthClient {
             assumingUser: undefined,
         });
         if (!user) {
+            authLog('auth-vir: getInsecureUser failed - user not found in database', {
+                userId: userIdResult.userId,
+            });
             return undefined;
         }
         const refreshHeaders = allowUserAuthRefresh &&

package/dist/auth-client/frontend-auth.client.d.ts

@@ -56,6 +56,8 @@ export type FrontendAuthClientConfig = PartialWithUndefined<{
 export declare class FrontendAuthClient<AssumedUserParams extends JsonCompatibleObject = EmptyObject> {
     protected readonly config: FrontendAuthClientConfig;
     protected userCheckInterval: undefined | ReturnType<typeof createBlockingInterval>;
+    /** Used to clean up the activity listener on `.destroy()`. */
+    protected removeActivityListener: VoidFunction | undefined;
     constructor(config?: FrontendAuthClientConfig);
     /**
      * Destroys the client and performs all necessary cleanup (like clearing the user check

package/dist/auth-client/frontend-auth.client.js

@@ -2,6 +2,7 @@ import { HttpStatus, } from '@augment-vir/common';
 import { listenToActivity } from 'detect-activity';
 import { CsrfTokenFailureReason, extractCsrfTokenHeader, getCurrentCsrfToken, storeCsrfToken, wipeCurrentCsrfToken, } from '../csrf-token.js';
 import { AuthHeaderName } from '../headers.js';
+import { authLog } from '../log.js';
 /**
  * An auth client for sending and validating client requests to a backend. This should only be used
  * in a frontend environment as it accesses native browser APIs.
@@ -12,10 +13,12 @@ import { AuthHeaderName } from '../headers.js';
 export class FrontendAuthClient {
     config;
     userCheckInterval;
+    /** Used to clean up the activity listener on `.destroy()`. */
+    removeActivityListener;
     constructor(config = {}) {
         this.config = config;
         if (config.checkUser) {
-            listenToActivity({
+            this.removeActivityListener = listenToActivity({
                 listener: async () => {
                     const response = await config.checkUser?.performCheck();
                     if (response) {
@@ -35,12 +38,16 @@ export class FrontendAuthClient {
      */
     destroy() {
         this.userCheckInterval?.clearInterval();
+        this.removeActivityListener?.();
     }
     /** Wraps {@link getCurrentCsrfToken} to automatically handle wiping an invalid CSRF token. */
     async getCurrentCsrfToken() {
         const csrfTokenResult = getCurrentCsrfToken(this.config.overrides);
         if (csrfTokenResult.failure &&
             csrfTokenResult.failure !== CsrfTokenFailureReason.DoesNotExist) {
+            authLog('auth-vir: LOGOUT - getCurrentCsrfToken: invalid CSRF token', {
+                failure: csrfTokenResult.failure,
+            });
             await this.logout();
             return undefined;
         }
@@ -107,6 +114,7 @@ export class FrontendAuthClient {
     }
     /** Wipes the current user auth. */
     async logout() {
+        authLog('auth-vir: LOGOUT - FrontendAuthClient.logout called', new Error().stack);
         await this.config.authClearedCallback?.();
         wipeCurrentCsrfToken(this.config.overrides);
     }
@@ -118,11 +126,13 @@ export class FrontendAuthClient {
      */
     async handleLoginResponse(response) {
         if (!response.ok) {
+            authLog('auth-vir: LOGOUT - handleLoginResponse: response not ok');
             await this.logout();
             throw new Error('Login response failed.');
         }
         const { csrfToken } = extractCsrfTokenHeader(response, this.config.overrides);
         if (!csrfToken) {
+            authLog('auth-vir: LOGOUT - handleLoginResponse: no CSRF token in response');
             await this.logout();
             throw new Error('Did not receive any CSRF token.');
         }
@@ -137,6 +147,9 @@ export class FrontendAuthClient {
     async verifyResponseAuth(response) {
         if (response.status === HttpStatus.Unauthorized &&
             !response.headers?.get(AuthHeaderName.IsSignUpAuth)) {
+            authLog('auth-vir: LOGOUT - verifyResponseAuth: unauthorized response (401)', {
+                status: response.status,
+            });
             await this.logout();
             return false;
         }

package/dist/auth.d.ts

@@ -3,6 +3,7 @@ import { type FullDate, type UtcTimezone } from 'date-vir';
 import { type CookieParams } from './cookie.js';
 import { AuthHeaderName } from './headers.js';
 import { type ParseJwtParams } from './jwt/jwt.js';
+import { type JwtUserData } from './jwt/user-jwt.js';
 /**
  * All possible headers container types supported by {@link extractUserIdFromRequestHeaders}.
  *
@@ -18,6 +19,11 @@ export type UserIdResult<UserId extends string | number> = {
     userId: UserId;
     jwtExpiration: FullDate<UtcTimezone>;
     cookieName: string;
+    /**
+     * Unix timestamp (in milliseconds) when the session was originally started. Used to enforce max
+     * session duration.
+     */
+    sessionStartedAt: JwtUserData['sessionStartedAt'];
 };
 /**
  * Extract the user id from a request by checking both the request cookie and CSRF token. This is
@@ -48,7 +54,12 @@ export declare function generateSuccessfulLoginHeaders<CsrfHeaderName extends st
 /** The id from your database of the user you're authenticating. */
 userId: string | number, cookieConfig: Readonly<CookieParams>, overrides?: PartialWithUndefined<{
     csrfHeaderName: CsrfHeaderName;
-}>): Promise<{
+}>, 
+/**
+ * The timestamp (in seconds) when the session originally started. If not provided, the current
+ * time will be used (for new sessions).
+ */
+sessionStartedAt?: number | undefined): Promise<{
     'set-cookie': string;
 } & Record<CsrfHeaderName, string>>;
 /**

package/dist/auth.js

@@ -1,6 +1,7 @@
 import { AuthCookieName, clearAuthCookie, extractCookieJwt, generateAuthCookie, } from './cookie.js';
 import { extractCsrfTokenHeader, generateCsrfToken, parseCsrfToken, storeCsrfToken, wipeCurrentCsrfToken, } from './csrf-token.js';
 import { AuthHeaderName } from './headers.js';
+import { authLog } from './log.js';
 function readHeader(headers, headerName) {
     if (headers instanceof Headers) {
         return headers.get(headerName) || undefined;
@@ -38,19 +39,31 @@ export async function extractUserIdFromRequestHeaders(headers, jwtParams, cookie
         const csrfToken = readCsrfTokenHeader(headers, overrides);
         const cookie = readHeader(headers, 'cookie');
         if (!cookie || !csrfToken) {
+            authLog('auth-vir: extractUserIdFromRequestHeaders failed - missing cookie or CSRF token', {
+                hasCookie: !!cookie,
+                hasCsrfToken: !!csrfToken,
+                cookieName,
+            });
             return undefined;
         }
         const jwt = await extractCookieJwt(cookie, jwtParams, cookieName);
         if (!jwt || jwt.data.csrfToken !== csrfToken) {
+            authLog('auth-vir: extractUserIdFromRequestHeaders failed - JWT invalid or CSRF mismatch', {
+                hasJwt: !!jwt,
+                csrfMatch: jwt ? jwt.data.csrfToken === csrfToken : false,
+                cookieName,
+            });
             return undefined;
         }
         return {
             userId: jwt.data.userId,
             jwtExpiration: jwt.jwtExpiration,
             cookieName,
+            sessionStartedAt: jwt.data.sessionStartedAt,
         };
     }
-    catch {
+    catch (error) {
+        authLog('auth-vir: extractUserIdFromRequestHeaders error', { error, cookieName });
         return undefined;
     }
 }
@@ -66,19 +79,23 @@ export async function insecureExtractUserIdFromCookieAlone(headers, jwtParams, c
     try {
         const cookie = readHeader(headers, 'cookie');
         if (!cookie) {
+            authLog('auth-vir: insecureExtractUserIdFromCookieAlone failed - no cookie');
             return undefined;
         }
         const jwt = await extractCookieJwt(cookie, jwtParams, cookieName);
         if (!jwt) {
+            authLog('auth-vir: insecureExtractUserIdFromCookieAlone failed - JWT extraction failed');
             return undefined;
         }
         return {
             userId: jwt.data.userId,
             jwtExpiration: jwt.jwtExpiration,
             cookieName,
+            sessionStartedAt: jwt.data.sessionStartedAt,
         };
     }
-    catch {
+    catch (error) {
+        authLog('auth-vir: insecureExtractUserIdFromCookieAlone error', { error });
         return undefined;
     }
 }
@@ -89,13 +106,19 @@ export async function insecureExtractUserIdFromCookieAlone(headers, jwtParams, c
  */
 export async function generateSuccessfulLoginHeaders(
 /** The id from your database of the user you're authenticating. */
-userId, cookieConfig, overrides = {}) {
+userId, cookieConfig, overrides = {}, 
+/**
+ * The timestamp (in seconds) when the session originally started. If not provided, the current
+ * time will be used (for new sessions).
+ */
+sessionStartedAt) {
     const csrfToken = generateCsrfToken(cookieConfig.cookieDuration);
     const csrfHeaderName = (overrides.csrfHeaderName || AuthHeaderName.CsrfToken);
     return {
         'set-cookie': await generateAuthCookie({
             csrfToken: csrfToken.token,
             userId,
+            sessionStartedAt: sessionStartedAt ?? Date.now(),
         }, cookieConfig),
         [csrfHeaderName]: JSON.stringify(csrfToken),
     };
@@ -107,6 +130,9 @@ userId, cookieConfig, overrides = {}) {
  * @category Auth : Host
  */
 export function generateLogoutHeaders(cookieConfig, overrides = {}) {
+    authLog('auth-vir: LOGOUT - generateLogoutHeaders called', {
+        cookieName: cookieConfig.cookieName,
+    }, new Error().stack);
     const csrfHeaderName = (overrides.csrfHeaderName || AuthHeaderName.CsrfToken);
     return {
         'set-cookie': clearAuthCookie(cookieConfig),
@@ -124,13 +150,16 @@ export function generateLogoutHeaders(cookieConfig, overrides = {}) {
  */
 export function handleAuthResponse(response, overrides = {}) {
     if (!response.ok) {
+        authLog('auth-vir: LOGOUT - handleAuthResponse: response not ok, wiping CSRF token');
         wipeCurrentCsrfToken(overrides);
         return;
     }
     const { csrfToken } = extractCsrfTokenHeader(response, overrides);
     if (!csrfToken) {
+        authLog('auth-vir: LOGOUT - handleAuthResponse: no CSRF token in response, wiping');
         wipeCurrentCsrfToken(overrides);
         throw new Error('Did not receive any CSRF token.');
     }
+    authLog('auth-vir: handleAuthResponse - successfully stored CSRF token');
     storeCsrfToken(csrfToken, overrides);
 }

package/dist/csrf-token.js

@@ -2,6 +2,7 @@ import { randomString, wrapInTry, } from '@augment-vir/common';
 import { calculateRelativeDate, fullDateShape, getNowInUtcTimezone, isDateAfter, } from 'date-vir';
 import { defineShape, parseJsonWithShape } from 'object-shape-tester';
 import { AuthHeaderName } from './headers.js';
+import { authLog } from './log.js';
 /**
  * Shape definition for {@link CsrfToken}.
  *
@@ -74,6 +75,7 @@ export function parseCsrfToken(value) {
         fallbackValue: undefined,
     });
     if (!csrfToken) {
+        authLog('auth-vir: CSRF token parse failed - will cause logout if used');
         return {
             failure: CsrfTokenFailureReason.ParseFailed,
         };
@@ -82,6 +84,9 @@ export function parseCsrfToken(value) {
         fullDate: getNowInUtcTimezone(),
         relativeTo: csrfToken.expiration,
     })) {
+        authLog('auth-vir: CSRF token expired - will cause logout', {
+            expiration: csrfToken.expiration,
+        });
         return {
             failure: CsrfTokenFailureReason.Expired,
         };
@@ -107,5 +112,6 @@ export function getCurrentCsrfToken(overrides = {}) {
  * @category Auth : Client
  */
 export function wipeCurrentCsrfToken(overrides = {}) {
+    authLog('auth-vir: wipeCurrentCsrfToken called', new Error().stack);
     return (overrides.localStorage || globalThis.localStorage).removeItem(overrides.csrfHeaderName || AuthHeaderName.CsrfToken);
 }

package/dist/generated/browser.js

@@ -1,5 +1,6 @@
 /* !!! This is code generated by Prisma. Do not edit directly. !!! */
 /* eslint-disable */
+// biome-ignore-all lint: generated file
 // @ts-nocheck 
 /*
  * This file should be your main import to use Prisma-related types and utilities in a browser.

package/dist/generated/client.js

@@ -1,5 +1,6 @@
 /* !!! This is code generated by Prisma. Do not edit directly. !!! */
 /* eslint-disable */
+// biome-ignore-all lint: generated file
 // @ts-nocheck 
 /*
  * This file should be your main import to use Prisma. Through it you get access to all the models, enums, and input types.

package/dist/generated/enums.js

@@ -1,5 +1,6 @@
 /* !!! This is code generated by Prisma. Do not edit directly. !!! */
 /* eslint-disable */
+// biome-ignore-all lint: generated file
 // @ts-nocheck 
 /*
 * This file exports all enum related types from the schema.

package/dist/generated/internal/class.js

@@ -1,5 +1,6 @@
 /* !!! This is code generated by Prisma. Do not edit directly. !!! */
 /* eslint-disable */
+// biome-ignore-all lint: generated file
 // @ts-nocheck 
 /*
  * WARNING: This is an internal file that is subject to change!
@@ -21,8 +22,8 @@ const config = {
             "fromEnvVar": null
         },
         "config": {
-            "moduleFormat": "esm",
-            "engineType": "client"
+            "engineType": "client",
+            "moduleFormat": "esm"
         },
         "binaryTargets": [
             {
@@ -39,8 +40,8 @@ const config = {
         "isCustomOutput": true
     },
     "relativePath": "../../test-files",
-    "clientVersion": "6.18.0",
-    "engineVersion": "34b5a692b7bd79939a9a2c3ef97d816e749cda2f",
+    "clientVersion": "6.19.2",
+    "engineVersion": "c2990dca591cba766e3b7ef5d9e8a84796e47ab7",
     "datasourceNames": [
         "db"
     ],

package/dist/generated/internal/prismaNamespace.d.ts

@@ -58,8 +58,8 @@ export type PrismaVersion = {
     engine: string;
 };
 /**
- * Prisma Client JS version: 6.18.0
- * Query Engine version: 34b5a692b7bd79939a9a2c3ef97d816e749cda2f
+ * Prisma Client JS version: 6.19.2
+ * Query Engine version: c2990dca591cba766e3b7ef5d9e8a84796e47ab7
  */
 export declare const prismaVersion: PrismaVersion;
 /**

package/dist/generated/internal/prismaNamespace.js

@@ -1,5 +1,6 @@
 /* !!! This is code generated by Prisma. Do not edit directly. !!! */
 /* eslint-disable */
+// biome-ignore-all lint: generated file
 /*
  * WARNING: This is an internal file that is subject to change!
  *
@@ -38,12 +39,12 @@ export const skip = runtime.skip;
 export const Decimal = runtime.Decimal;
 export const getExtensionContext = runtime.Extensions.getExtensionContext;
 /**
- * Prisma Client JS version: 6.18.0
- * Query Engine version: 34b5a692b7bd79939a9a2c3ef97d816e749cda2f
+ * Prisma Client JS version: 6.19.2
+ * Query Engine version: c2990dca591cba766e3b7ef5d9e8a84796e47ab7
  */
 export const prismaVersion = {
-    client: "6.18.0",
-    engine: "34b5a692b7bd79939a9a2c3ef97d816e749cda2f"
+    client: "6.19.2",
+    engine: "c2990dca591cba766e3b7ef5d9e8a84796e47ab7"
 };
 export const NullTypes = {
     DbNull: runtime.objectEnumValues.classes.DbNull,

package/dist/generated/internal/prismaNamespaceBrowser.js

@@ -1,5 +1,6 @@
 /* !!! This is code generated by Prisma. Do not edit directly. !!! */
 /* eslint-disable */
+// biome-ignore-all lint: generated file
 // @ts-nocheck 
 /*
  * WARNING: This is an internal file that is subject to change!

package/dist/index.d.ts

@@ -8,4 +8,5 @@ export * from './headers.js';
 export * from './jwt/jwt-keys.js';
 export * from './jwt/jwt.js';
 export * from './jwt/user-jwt.js';
+export * from './log.js';
 export * from './mock-local-storage.js';

package/dist/index.js

@@ -8,4 +8,5 @@ export * from './headers.js';
 export * from './jwt/jwt-keys.js';
 export * from './jwt/jwt.js';
 export * from './jwt/user-jwt.js';
+export * from './log.js';
 export * from './mock-local-storage.js';

package/dist/jwt/jwt.d.ts

@@ -60,6 +60,18 @@ export type CreateJwtParams = Readonly<{
      */
     notValidUntil: DateLike;
 }>>;
+/**
+ * JWT uses seconds since the epoch per RFC 7519, whereas `toTimestamp` uses milliseconds.
+ *
+ * @category Internal
+ */
+export declare function toJwtTimestamp(date: Readonly<FullDate>): number;
+/**
+ * Converts a JWT timestamp (in seconds) into a FullDate instance.
+ *
+ * @category Internal
+ */
+export declare function parseJwtTimestamp(seconds: number): FullDate<UtcTimezone>;
 /**
  * Creates a signed and encrypted JWT that contains the given data.
  *

package/dist/jwt/jwt.js

@@ -1,8 +1,24 @@
 import { assertWrap, check } from '@augment-vir/assert';
-import { calculateRelativeDate, createFullDateInUserTimezone, createUtcFullDate, getNowInUtcTimezone, isDateAfter, toTimestamp, } from 'date-vir';
+import { calculateRelativeDate, createFullDateInUserTimezone, createUtcFullDate, getNowInUtcTimezone, toTimestamp, } from 'date-vir';
 import { EncryptJWT, jwtDecrypt, jwtVerify, SignJWT } from 'jose';
 const encryptionProtectedHeader = { alg: 'dir', enc: 'A256GCM' };
 const signingProtectedHeader = { alg: 'HS512' };
+/**
+ * JWT uses seconds since the epoch per RFC 7519, whereas `toTimestamp` uses milliseconds.
+ *
+ * @category Internal
+ */
+export function toJwtTimestamp(date) {
+    return Math.floor(toTimestamp(date) / 1000);
+}
+/**
+ * Converts a JWT timestamp (in seconds) into a FullDate instance.
+ *
+ * @category Internal
+ */
+export function parseJwtTimestamp(seconds) {
+    return createUtcFullDate(seconds * 1000);
+}
 /**
  * Creates a signed and encrypted JWT that contains the given data.
  *
@@ -14,13 +30,13 @@ data, params) {
     const rawJwt = new SignJWT({ data })
         .setProtectedHeader(signingProtectedHeader)
         .setIssuedAt(params.issuedAt
-        ? toTimestamp(createFullDateInUserTimezone(params.issuedAt))
+        ? toJwtTimestamp(createFullDateInUserTimezone(params.issuedAt))
         : undefined)
         .setIssuer(params.issuer)
         .setAudience(params.audience)
-        .setExpirationTime(toTimestamp(calculateRelativeDate(getNowInUtcTimezone(), params.jwtDuration)));
+        .setExpirationTime(toJwtTimestamp(calculateRelativeDate(getNowInUtcTimezone(), params.jwtDuration)));
     if (params.notValidUntil) {
-        rawJwt.setNotBefore(toTimestamp(createFullDateInUserTimezone(params.notValidUntil)));
+        rawJwt.setNotBefore(toJwtTimestamp(createFullDateInUserTimezone(params.notValidUntil)));
     }
     const signedJwt = await rawJwt.sign(params.jwtKeys.signingKey);
     return await new EncryptJWT({ jwt: signedJwt })
@@ -57,14 +73,8 @@ export async function parseJwt(encryptedJwt, params) {
     if (!check.deepEquals(verifiedJwt.protectedHeader, signingProtectedHeader)) {
         throw new Error('Invalid signing protected header.');
     }
-    const expirationMs = assertWrap.isDefined(verifiedJwt.payload.exp, 'JWT has no expiration.');
-    const jwtExpiration = createUtcFullDate(expirationMs);
-    if (isDateAfter({
-        fullDate: getNowInUtcTimezone(),
-        relativeTo: jwtExpiration,
-    })) {
-        throw new Error('JWT expired.');
-    }
+    const expirationSeconds = assertWrap.isDefined(verifiedJwt.payload.exp, 'JWT has no expiration.');
+    const jwtExpiration = parseJwtTimestamp(expirationSeconds);
     return {
         data: data,
         jwtExpiration,

package/dist/jwt/user-jwt.d.ts

@@ -13,6 +13,12 @@ export declare const userJwtDataShape: import("object-shape-tester").Shape<{
      * Consider using {@link generateCsrfToken} to generate this.
      */
     csrfToken: string;
+    /**
+     * Unix timestamp (in milliseconds) when the session was originally started. This is used to
+     * enforce the max session duration. If not present, the session is considered to have started
+     * when the JWT was issued.
+     */
+    sessionStartedAt: import("object-shape-tester").Shape<import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TUnion<[import("@sinclair/typebox").TUndefined, import("@sinclair/typebox").TNumber]>>>;
 }>;
 /**
  * Data required for user JWTs.

package/dist/jwt/user-jwt.js

@@ -1,4 +1,4 @@
-import { checkValidShape, defineShape, unionShape } from 'object-shape-tester';
+import { checkValidShape, defineShape, optionalShape, unionShape } from 'object-shape-tester';
 import { createJwt, parseJwt, } from './jwt.js';
 /**
  * Shape definition and source of truth for {@link JwtUserData}.
@@ -14,6 +14,12 @@ export const userJwtDataShape = defineShape({
      * Consider using {@link generateCsrfToken} to generate this.
      */
     csrfToken: '',
+    /**
+     * Unix timestamp (in milliseconds) when the session was originally started. This is used to
+     * enforce the max session duration. If not present, the session is considered to have started
+     * when the JWT was issued.
+     */
+    sessionStartedAt: optionalShape(0, { alsoUndefined: true }),
 });
 /**
  * Creates a new signed and encrypted {@link JwtUserData} when a client (frontend) successfully

package/dist/log.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Send logs to the console for debugging.
+ *
+ * @category Internal
+ */
+export declare function authLog(...params: any[]): void;
+/**
+ * Set to `false` to disable logging.
+ *
+ * @category Internal
+ */
+export declare let shouldLogAuth: boolean;