auth-vir 3.1.1 → 4.0.0

package/README.md

@@ -281,7 +281,7 @@ export async function sendLoginRequest(
     userLoginData: {username: string; password: string},
     loginUrl: string,
 ) {
-    if ((await getCurrentCsrfToken(csrfOption)).csrfToken) {
+    if (await getCurrentCsrfToken(csrfOption)) {
         throw new Error('Already logged in.');
     }
 
@@ -302,7 +302,7 @@ export async function sendAuthenticatedRequest(
     requestInit: Omit<RequestInit, 'headers'> = {},
     headers: Record<string, string> = {},
 ) {
-    const {csrfToken} = await getCurrentCsrfToken(csrfOption);
+    const csrfToken = await getCurrentCsrfToken(csrfOption);
 
     if (!csrfToken) {
         throw new Error('Not authenticated.');
@@ -313,7 +313,7 @@ export async function sendAuthenticatedRequest(
         credentials: 'include',
         headers: {
             ...headers,
-            [resolveCsrfHeaderName(csrfOption)]: csrfToken.token,
+            [resolveCsrfHeaderName(csrfOption)]: csrfToken,
         },
     });
 

package/dist/auth-client/backend-auth.client.js

@@ -139,17 +139,14 @@ export class BackendAuthClient {
                 requestHeaders,
             });
             const csrfHeaderName = resolveCsrfHeaderName(this.config.csrf);
-            const { cookie, expiration } = await generateAuthCookie({
+            const { cookie } = await generateAuthCookie({
                 csrfToken: userIdResult.csrfToken,
                 userId: userIdResult.userId,
                 sessionStartedAt: userIdResult.sessionStartedAt || Date.now(),
             }, cookieParams);
             return {
                 'set-cookie': cookie,
-                [csrfHeaderName]: JSON.stringify({
-                    token: userIdResult.csrfToken,
-                    expiration,
-                }),
+                [csrfHeaderName]: userIdResult.csrfToken,
             };
         }
         else {

package/dist/auth-client/frontend-auth.client.d.ts

@@ -49,13 +49,6 @@ export type FrontendAuthClientConfig = Readonly<{
      * another user.
      */
     assumedUserHeaderName: string;
-    /**
-     * Allowed clock skew tolerance for CSRF token expiration checks. Accounts for differences
-     * between server and client clocks.
-     *
-     * @default {minutes: 5}
-     */
-    allowedClockSkew: Readonly<AnyDuration>;
     overrides: PartialWithUndefined<{
         localStorage: Pick<Storage, 'setItem' | 'removeItem' | 'getItem'>;
         csrfTokenStore: CsrfTokenStore;
@@ -79,7 +72,7 @@ export declare class FrontendAuthClient<AssumedUserParams extends JsonCompatible
      * interval).
      */
     destroy(): void;
-    /** Wraps {@link getCurrentCsrfToken} to automatically handle wiping an invalid CSRF token. */
+    /** Wraps {@link getCurrentCsrfToken} to retrieve the stored CSRF token string. */
     getCurrentCsrfToken(): Promise<string | undefined>;
     /**
      * Assume the given user. Pass `undefined` to wipe the currently assumed user.

package/dist/auth-client/frontend-auth.client.js

@@ -1,6 +1,6 @@
 import { HttpStatus, } from '@augment-vir/common';
 import { listenToActivity } from 'detect-activity';
-import { defaultAllowedClockSkew, extractCsrfTokenHeader, getCurrentCsrfToken, resolveCsrfHeaderName, storeCsrfToken, } from '../csrf-token.js';
+import { extractCsrfTokenHeader, getCurrentCsrfToken, resolveCsrfHeaderName, storeCsrfToken, } from '../csrf-token.js';
 import { AuthHeaderName } from '../headers.js';
 /**
  * An auth client for sending and validating client requests to a backend. This should only be used
@@ -41,17 +41,12 @@ export class FrontendAuthClient {
         this.userCheckInterval?.clearInterval();
         this.removeActivityListener?.();
     }
-    /** Wraps {@link getCurrentCsrfToken} to automatically handle wiping an invalid CSRF token. */
+    /** Wraps {@link getCurrentCsrfToken} to retrieve the stored CSRF token string. */
     async getCurrentCsrfToken() {
-        const csrfTokenResult = await getCurrentCsrfToken({
+        return await getCurrentCsrfToken({
             ...this.config.csrf,
             csrfTokenStore: this.config.overrides?.csrfTokenStore,
-            allowedClockSkew: this.config.allowedClockSkew || defaultAllowedClockSkew,
         });
-        if (csrfTokenResult.failure) {
-            return undefined;
-        }
-        return csrfTokenResult.csrfToken.token;
     }
     /**
      * Assume the given user. Pass `undefined` to wipe the currently assumed user.
@@ -125,9 +120,7 @@ export class FrontendAuthClient {
             await this.logout();
             throw new Error('Login response failed.');
         }
-        const { csrfToken } = extractCsrfTokenHeader(response, this.config.csrf, {
-            allowedClockSkew: this.config.allowedClockSkew || defaultAllowedClockSkew,
-        });
+        const csrfToken = extractCsrfTokenHeader(response, this.config.csrf);
         if (!csrfToken) {
             await this.logout();
             throw new Error('Did not receive any CSRF token.');
@@ -149,16 +142,6 @@ export class FrontendAuthClient {
             await this.logout();
             return false;
         }
-        /** If the response has a new CSRF token, store it. */
-        const { csrfToken } = extractCsrfTokenHeader(response, this.config.csrf, {
-            allowedClockSkew: this.config.allowedClockSkew || defaultAllowedClockSkew,
-        });
-        if (csrfToken) {
-            await storeCsrfToken(csrfToken, {
-                ...this.config.csrf,
-                csrfTokenStore: this.config.overrides?.csrfTokenStore,
-            });
-        }
         return true;
     }
 }

package/dist/auth.js

@@ -1,5 +1,5 @@
 import { AuthCookieName, clearAuthCookie, extractCookieJwt, generateAuthCookie, } from './cookie.js';
-import { extractCsrfTokenHeader, generateCsrfToken, parseCsrfToken, resolveCsrfHeaderName, storeCsrfToken, } from './csrf-token.js';
+import { extractCsrfTokenHeader, generateCsrfToken, resolveCsrfHeaderName, storeCsrfToken, } from './csrf-token.js';
 function readHeader(headers, headerName) {
     if (headers instanceof Headers) {
         return headers.get(headerName) || undefined;
@@ -18,12 +18,7 @@ function readHeader(headers, headerName) {
     }
 }
 function readCsrfTokenHeader(headers, csrfHeaderNameOption) {
-    const rawCsrfToken = readHeader(headers, resolveCsrfHeaderName(csrfHeaderNameOption));
-    if (!rawCsrfToken) {
-        return undefined;
-    }
-    const token = parseCsrfToken(rawCsrfToken).csrfToken?.token || rawCsrfToken;
-    return token;
+    return readHeader(headers, resolveCsrfHeaderName(csrfHeaderNameOption));
 }
 /**
  * Extract the user id from a request by checking both the request cookie and CSRF token. This is
@@ -101,19 +96,16 @@ userId, cookieConfig, csrfHeaderNameOption,
  * time will be used (for new sessions).
  */
 sessionStartedAt) {
-    const csrfToken = generateCsrfToken(cookieConfig.cookieDuration);
+    const csrfToken = generateCsrfToken();
     const csrfHeaderName = resolveCsrfHeaderName(csrfHeaderNameOption);
-    const { cookie, expiration } = await generateAuthCookie({
-        csrfToken: csrfToken.token,
+    const { cookie } = await generateAuthCookie({
+        csrfToken,
         userId,
         sessionStartedAt: sessionStartedAt ?? Date.now(),
     }, cookieConfig);
     return {
         'set-cookie': cookie,
-        [csrfHeaderName]: JSON.stringify({
-            token: csrfToken.token,
-            expiration,
-        }),
+        [csrfHeaderName]: csrfToken,
     };
 }
 /**
@@ -140,7 +132,7 @@ export async function handleAuthResponse(response, options) {
     if (!response.ok) {
         return;
     }
-    const { csrfToken } = extractCsrfTokenHeader(response, options);
+    const csrfToken = extractCsrfTokenHeader(response, options);
     if (!csrfToken) {
         throw new Error('Did not receive any CSRF token.');
     }

package/dist/csrf-token.d.ts

@@ -3,60 +3,19 @@ import { type AnyDuration } from 'date-vir';
 import { type RequireExactlyOne } from 'type-fest';
 import { type CsrfTokenStore } from './csrf-token-store.js';
 /**
- * Shape definition for {@link CsrfToken}.
- *
- * @category Internal
- */
-export declare const csrfTokenShape: import("object-shape-tester").Shape<{
-    token: string;
-    expiration: import("object-shape-tester").Shape<import("object-shape-tester").Shape<import("@sinclair/typebox").TUnsafe<{
-        hour: import("date-vir").Hour;
-        minute: import("date-vir").Minute;
-        second: import("date-vir").Minute;
-        millisecond: number;
-        timezone: "Africa/Abidjan" | "Africa/Accra" | "Africa/Addis_Ababa" | "Africa/Algiers" | "Africa/Asmara" | "Africa/Bamako" | "Africa/Bangui" | "Africa/Banjul" | "Africa/Bissau" | "Africa/Blantyre" | "Africa/Brazzaville" | "Africa/Bujumbura" | "Africa/Cairo" | "Africa/Casablanca" | "Africa/Ceuta" | "Africa/Conakry" | "Africa/Dakar" | "Africa/Dar_es_Salaam" | "Africa/Djibouti" | "Africa/Douala" | "Africa/El_Aaiun" | "Africa/Freetown" | "Africa/Gaborone" | "Africa/Harare" | "Africa/Johannesburg" | "Africa/Juba" | "Africa/Kampala" | "Africa/Khartoum" | "Africa/Kigali" | "Africa/Kinshasa" | "Africa/Lagos" | "Africa/Libreville" | "Africa/Lome" | "Africa/Luanda" | "Africa/Lubumbashi" | "Africa/Lusaka" | "Africa/Malabo" | "Africa/Maputo" | "Africa/Maseru" | "Africa/Mbabane" | "Africa/Mogadishu" | "Africa/Monrovia" | "Africa/Nairobi" | "Africa/Ndjamena" | "Africa/Niamey" | "Africa/Nouakchott" | "Africa/Ouagadougou" | "Africa/Porto-Novo" | "Africa/Sao_Tome" | "Africa/Timbuktu" | "Africa/Tripoli" | "Africa/Tunis" | "Africa/Windhoek" | "America/Adak" | "America/Anchorage" | "America/Anguilla" | "America/Antigua" | "America/Araguaina" | "America/Argentina/Buenos_Aires" | "America/Argentina/Catamarca" | "America/Argentina/ComodRivadavia" | "America/Argentina/Cordoba" | "America/Argentina/Jujuy" | "America/Argentina/La_Rioja" | "America/Argentina/Mendoza" | "America/Argentina/Rio_Gallegos" | "America/Argentina/Salta" | "America/Argentina/San_Juan" | "America/Argentina/San_Luis" | "America/Argentina/Tucuman" | "America/Argentina/Ushuaia" | "America/Aruba" | "America/Asuncion" | "America/Atikokan" | "America/Bahia" | "America/Bahia_Banderas" | "America/Barbados" | "America/Belem" | "America/Belize" | "America/Blanc-Sablon" | "America/Boa_Vista" | "America/Bogota" | "America/Boise" | "America/Cambridge_Bay" | "America/Campo_Grande" | "America/Cancun" | "America/Caracas" | "America/Cayenne" | "America/Cayman" | "America/Chicago" | "America/Chihuahua" | "America/Coral_Harbour" | "America/Costa_Rica" | "America/Creston" | "America/Cuiaba" | "America/Curacao" | "America/Danmarkshavn" | "America/Dawson" | "America/Dawson_Creek" | "America/Denver" | "America/Detroit" | "America/Dominica" | "America/Edmonton" | "America/Eirunepe" | "America/El_Salvador" | "America/Ensenada" | "America/Fort_Nelson" | "America/Fortaleza" | "America/Glace_Bay" | "America/Goose_Bay" | "America/Grand_Turk" | "America/Grenada" | "America/Guadeloupe" | "America/Guatemala" | "America/Guayaquil" | "America/Guyana" | "America/Halifax" | "America/Havana" | "America/Hermosillo" | "America/Indiana/Indianapolis" | "America/Indiana/Knox" | "America/Indiana/Marengo" | "America/Indiana/Petersburg" | "America/Indiana/Tell_City" | "America/Indiana/Vevay" | "America/Indiana/Vincennes" | "America/Indiana/Winamac" | "America/Inuvik" | "America/Iqaluit" | "America/Jamaica" | "America/Juneau" | "America/Kentucky/Louisville" | "America/Kentucky/Monticello" | "America/La_Paz" | "America/Lima" | "America/Los_Angeles" | "America/Maceio" | "America/Managua" | "America/Manaus" | "America/Martinique" | "America/Matamoros" | "America/Mazatlan" | "America/Menominee" | "America/Merida" | "America/Metlakatla" | "America/Mexico_City" | "America/Miquelon" | "America/Moncton" | "America/Monterrey" | "America/Montevideo" | "America/Montreal" | "America/Montserrat" | "America/Nassau" | "America/New_York" | "America/Nipigon" | "America/Nome" | "America/Noronha" | "America/North_Dakota/Beulah" | "America/North_Dakota/Center" | "America/North_Dakota/New_Salem" | "America/Nuuk" | "America/Ojinaga" | "America/Panama" | "America/Pangnirtung" | "America/Paramaribo" | "America/Phoenix" | "America/Port-au-Prince" | "America/Port_of_Spain" | "America/Porto_Velho" | "America/Puerto_Rico" | "America/Punta_Arenas" | "America/Rainy_River" | "America/Rankin_Inlet" | "America/Recife" | "America/Regina" | "America/Resolute" | "America/Rio_Branco" | "America/Rosario" | "America/Santarem" | "America/Santiago" | "America/Santo_Domingo" | "America/Sao_Paulo" | "America/Scoresbysund" | "America/Sitka" | "America/St_Johns" | "America/St_Kitts" | "America/St_Lucia" | "America/St_Thomas" | "America/St_Vincent" | "America/Swift_Current" | "America/Tegucigalpa" | "America/Thule" | "America/Thunder_Bay" | "America/Tijuana" | "America/Toronto" | "America/Tortola" | "America/Vancouver" | "America/Whitehorse" | "America/Winnipeg" | "America/Yakutat" | "America/Yellowknife" | "Antarctica/Casey" | "Antarctica/Davis" | "Antarctica/DumontDUrville" | "Antarctica/Macquarie" | "Antarctica/Mawson" | "Antarctica/McMurdo" | "Antarctica/Palmer" | "Antarctica/Rothera" | "Antarctica/Syowa" | "Antarctica/Troll" | "Antarctica/Vostok" | "Asia/Aden" | "Asia/Almaty" | "Asia/Amman" | "Asia/Anadyr" | "Asia/Aqtau" | "Asia/Aqtobe" | "Asia/Ashgabat" | "Asia/Atyrau" | "Asia/Baghdad" | "Asia/Bahrain" | "Asia/Baku" | "Asia/Bangkok" | "Asia/Barnaul" | "Asia/Beirut" | "Asia/Bishkek" | "Asia/Brunei" | "Asia/Chita" | "Asia/Choibalsan" | "Asia/Chongqing" | "Asia/Colombo" | "Asia/Damascus" | "Asia/Dhaka" | "Asia/Dili" | "Asia/Dubai" | "Asia/Dushanbe" | "Asia/Famagusta" | "Asia/Gaza" | "Asia/Harbin" | "Asia/Hebron" | "Asia/Ho_Chi_Minh" | "Asia/Hong_Kong" | "Asia/Hovd" | "Asia/Irkutsk" | "Asia/Jakarta" | "Asia/Jayapura" | "Asia/Jerusalem" | "Asia/Kabul" | "Asia/Kamchatka" | "Asia/Karachi" | "Asia/Kashgar" | "Asia/Kathmandu" | "Asia/Khandyga" | "Asia/Kolkata" | "Asia/Krasnoyarsk" | "Asia/Kuala_Lumpur" | "Asia/Kuching" | "Asia/Kuwait" | "Asia/Macau" | "Asia/Magadan" | "Asia/Makassar" | "Asia/Manila" | "Asia/Muscat" | "Asia/Nicosia" | "Asia/Novokuznetsk" | "Asia/Novosibirsk" | "Asia/Omsk" | "Asia/Oral" | "Asia/Phnom_Penh" | "Asia/Pontianak" | "Asia/Pyongyang" | "Asia/Qatar" | "Asia/Qostanay" | "Asia/Qyzylorda" | "Asia/Riyadh" | "Asia/Sakhalin" | "Asia/Samarkand" | "Asia/Seoul" | "Asia/Shanghai" | "Asia/Singapore" | "Asia/Srednekolymsk" | "Asia/Taipei" | "Asia/Tashkent" | "Asia/Tbilisi" | "Asia/Tehran" | "Asia/Tel_Aviv" | "Asia/Thimphu" | "Asia/Tokyo" | "Asia/Tomsk" | "Asia/Ulaanbaatar" | "Asia/Urumqi" | "Asia/Ust-Nera" | "Asia/Vientiane" | "Asia/Vladivostok" | "Asia/Yakutsk" | "Asia/Yangon" | "Asia/Yekaterinburg" | "Asia/Yerevan" | "Atlantic/Azores" | "Atlantic/Bermuda" | "Atlantic/Canary" | "Atlantic/Cape_Verde" | "Atlantic/Faroe" | "Atlantic/Jan_Mayen" | "Atlantic/Madeira" | "Atlantic/Reykjavik" | "Atlantic/South_Georgia" | "Atlantic/St_Helena" | "Atlantic/Stanley" | "Australia/Adelaide" | "Australia/Brisbane" | "Australia/Broken_Hill" | "Australia/Currie" | "Australia/Darwin" | "Australia/Eucla" | "Australia/Hobart" | "Australia/Lindeman" | "Australia/Lord_Howe" | "Australia/Melbourne" | "Australia/Perth" | "Australia/Sydney" | "CET" | "CST6CDT" | "EET" | "EST" | "EST5EDT" | "Etc/GMT+1" | "Etc/GMT+10" | "Etc/GMT+11" | "Etc/GMT+12" | "Etc/GMT+2" | "Etc/GMT+3" | "Etc/GMT+4" | "Etc/GMT+5" | "Etc/GMT+6" | "Etc/GMT+7" | "Etc/GMT+8" | "Etc/GMT+9" | "Etc/GMT-1" | "Etc/GMT-10" | "Etc/GMT-11" | "Etc/GMT-12" | "Etc/GMT-13" | "Etc/GMT-14" | "Etc/GMT-2" | "Etc/GMT-3" | "Etc/GMT-4" | "Etc/GMT-5" | "Etc/GMT-6" | "Etc/GMT-7" | "Etc/GMT-8" | "Etc/GMT-9" | "Europe/Amsterdam" | "Europe/Andorra" | "Europe/Astrakhan" | "Europe/Athens" | "Europe/Belfast" | "Europe/Belgrade" | "Europe/Berlin" | "Europe/Brussels" | "Europe/Bucharest" | "Europe/Budapest" | "Europe/Chisinau" | "Europe/Copenhagen" | "Europe/Dublin" | "Europe/Gibraltar" | "Europe/Guernsey" | "Europe/Helsinki" | "Europe/Isle_of_Man" | "Europe/Istanbul" | "Europe/Jersey" | "Europe/Kaliningrad" | "Europe/Kirov" | "Europe/Kyiv" | "Europe/Lisbon" | "Europe/Ljubljana" | "Europe/London" | "Europe/Luxembourg" | "Europe/Madrid" | "Europe/Malta" | "Europe/Minsk" | "Europe/Monaco" | "Europe/Moscow" | "Europe/Oslo" | "Europe/Paris" | "Europe/Prague" | "Europe/Riga" | "Europe/Rome" | "Europe/Samara" | "Europe/Sarajevo" | "Europe/Saratov" | "Europe/Simferopol" | "Europe/Skopje" | "Europe/Sofia" | "Europe/Stockholm" | "Europe/Tallinn" | "Europe/Tirane" | "Europe/Tiraspol" | "Europe/Ulyanovsk" | "Europe/Uzhgorod" | "Europe/Vaduz" | "Europe/Vienna" | "Europe/Vilnius" | "Europe/Volgograd" | "Europe/Warsaw" | "Europe/Zagreb" | "Europe/Zaporozhye" | "Europe/Zurich" | "HST" | "Indian/Antananarivo" | "Indian/Chagos" | "Indian/Christmas" | "Indian/Cocos" | "Indian/Comoro" | "Indian/Kerguelen" | "Indian/Mahe" | "Indian/Maldives" | "Indian/Mauritius" | "Indian/Mayotte" | "Indian/Reunion" | "MET" | "MST" | "MST7MDT" | "PST8PDT" | "Pacific/Apia" | "Pacific/Auckland" | "Pacific/Bougainville" | "Pacific/Chatham" | "Pacific/Chuuk" | "Pacific/Easter" | "Pacific/Efate" | "Pacific/Enderbury" | "Pacific/Fakaofo" | "Pacific/Fiji" | "Pacific/Funafuti" | "Pacific/Galapagos" | "Pacific/Gambier" | "Pacific/Guadalcanal" | "Pacific/Guam" | "Pacific/Honolulu" | "Pacific/Johnston" | "Pacific/Kanton" | "Pacific/Kiritimati" | "Pacific/Kosrae" | "Pacific/Kwajalein" | "Pacific/Majuro" | "Pacific/Marquesas" | "Pacific/Midway" | "Pacific/Nauru" | "Pacific/Niue" | "Pacific/Norfolk" | "Pacific/Noumea" | "Pacific/Pago_Pago" | "Pacific/Palau" | "Pacific/Pitcairn" | "Pacific/Pohnpei" | "Pacific/Port_Moresby" | "Pacific/Rarotonga" | "Pacific/Saipan" | "Pacific/Tahiti" | "Pacific/Tarawa" | "Pacific/Tongatapu" | "Pacific/Wake" | "Pacific/Wallis" | "UTC" | "WET";
-    } & {
-        year: number;
-        month: import("date-vir").MonthNumber;
-        day: import("date-vir").DayOfMonth;
-        timezone: "Africa/Abidjan" | "Africa/Accra" | "Africa/Addis_Ababa" | "Africa/Algiers" | "Africa/Asmara" | "Africa/Bamako" | "Africa/Bangui" | "Africa/Banjul" | "Africa/Bissau" | "Africa/Blantyre" | "Africa/Brazzaville" | "Africa/Bujumbura" | "Africa/Cairo" | "Africa/Casablanca" | "Africa/Ceuta" | "Africa/Conakry" | "Africa/Dakar" | "Africa/Dar_es_Salaam" | "Africa/Djibouti" | "Africa/Douala" | "Africa/El_Aaiun" | "Africa/Freetown" | "Africa/Gaborone" | "Africa/Harare" | "Africa/Johannesburg" | "Africa/Juba" | "Africa/Kampala" | "Africa/Khartoum" | "Africa/Kigali" | "Africa/Kinshasa" | "Africa/Lagos" | "Africa/Libreville" | "Africa/Lome" | "Africa/Luanda" | "Africa/Lubumbashi" | "Africa/Lusaka" | "Africa/Malabo" | "Africa/Maputo" | "Africa/Maseru" | "Africa/Mbabane" | "Africa/Mogadishu" | "Africa/Monrovia" | "Africa/Nairobi" | "Africa/Ndjamena" | "Africa/Niamey" | "Africa/Nouakchott" | "Africa/Ouagadougou" | "Africa/Porto-Novo" | "Africa/Sao_Tome" | "Africa/Timbuktu" | "Africa/Tripoli" | "Africa/Tunis" | "Africa/Windhoek" | "America/Adak" | "America/Anchorage" | "America/Anguilla" | "America/Antigua" | "America/Araguaina" | "America/Argentina/Buenos_Aires" | "America/Argentina/Catamarca" | "America/Argentina/ComodRivadavia" | "America/Argentina/Cordoba" | "America/Argentina/Jujuy" | "America/Argentina/La_Rioja" | "America/Argentina/Mendoza" | "America/Argentina/Rio_Gallegos" | "America/Argentina/Salta" | "America/Argentina/San_Juan" | "America/Argentina/San_Luis" | "America/Argentina/Tucuman" | "America/Argentina/Ushuaia" | "America/Aruba" | "America/Asuncion" | "America/Atikokan" | "America/Bahia" | "America/Bahia_Banderas" | "America/Barbados" | "America/Belem" | "America/Belize" | "America/Blanc-Sablon" | "America/Boa_Vista" | "America/Bogota" | "America/Boise" | "America/Cambridge_Bay" | "America/Campo_Grande" | "America/Cancun" | "America/Caracas" | "America/Cayenne" | "America/Cayman" | "America/Chicago" | "America/Chihuahua" | "America/Coral_Harbour" | "America/Costa_Rica" | "America/Creston" | "America/Cuiaba" | "America/Curacao" | "America/Danmarkshavn" | "America/Dawson" | "America/Dawson_Creek" | "America/Denver" | "America/Detroit" | "America/Dominica" | "America/Edmonton" | "America/Eirunepe" | "America/El_Salvador" | "America/Ensenada" | "America/Fort_Nelson" | "America/Fortaleza" | "America/Glace_Bay" | "America/Goose_Bay" | "America/Grand_Turk" | "America/Grenada" | "America/Guadeloupe" | "America/Guatemala" | "America/Guayaquil" | "America/Guyana" | "America/Halifax" | "America/Havana" | "America/Hermosillo" | "America/Indiana/Indianapolis" | "America/Indiana/Knox" | "America/Indiana/Marengo" | "America/Indiana/Petersburg" | "America/Indiana/Tell_City" | "America/Indiana/Vevay" | "America/Indiana/Vincennes" | "America/Indiana/Winamac" | "America/Inuvik" | "America/Iqaluit" | "America/Jamaica" | "America/Juneau" | "America/Kentucky/Louisville" | "America/Kentucky/Monticello" | "America/La_Paz" | "America/Lima" | "America/Los_Angeles" | "America/Maceio" | "America/Managua" | "America/Manaus" | "America/Martinique" | "America/Matamoros" | "America/Mazatlan" | "America/Menominee" | "America/Merida" | "America/Metlakatla" | "America/Mexico_City" | "America/Miquelon" | "America/Moncton" | "America/Monterrey" | "America/Montevideo" | "America/Montreal" | "America/Montserrat" | "America/Nassau" | "America/New_York" | "America/Nipigon" | "America/Nome" | "America/Noronha" | "America/North_Dakota/Beulah" | "America/North_Dakota/Center" | "America/North_Dakota/New_Salem" | "America/Nuuk" | "America/Ojinaga" | "America/Panama" | "America/Pangnirtung" | "America/Paramaribo" | "America/Phoenix" | "America/Port-au-Prince" | "America/Port_of_Spain" | "America/Porto_Velho" | "America/Puerto_Rico" | "America/Punta_Arenas" | "America/Rainy_River" | "America/Rankin_Inlet" | "America/Recife" | "America/Regina" | "America/Resolute" | "America/Rio_Branco" | "America/Rosario" | "America/Santarem" | "America/Santiago" | "America/Santo_Domingo" | "America/Sao_Paulo" | "America/Scoresbysund" | "America/Sitka" | "America/St_Johns" | "America/St_Kitts" | "America/St_Lucia" | "America/St_Thomas" | "America/St_Vincent" | "America/Swift_Current" | "America/Tegucigalpa" | "America/Thule" | "America/Thunder_Bay" | "America/Tijuana" | "America/Toronto" | "America/Tortola" | "America/Vancouver" | "America/Whitehorse" | "America/Winnipeg" | "America/Yakutat" | "America/Yellowknife" | "Antarctica/Casey" | "Antarctica/Davis" | "Antarctica/DumontDUrville" | "Antarctica/Macquarie" | "Antarctica/Mawson" | "Antarctica/McMurdo" | "Antarctica/Palmer" | "Antarctica/Rothera" | "Antarctica/Syowa" | "Antarctica/Troll" | "Antarctica/Vostok" | "Asia/Aden" | "Asia/Almaty" | "Asia/Amman" | "Asia/Anadyr" | "Asia/Aqtau" | "Asia/Aqtobe" | "Asia/Ashgabat" | "Asia/Atyrau" | "Asia/Baghdad" | "Asia/Bahrain" | "Asia/Baku" | "Asia/Bangkok" | "Asia/Barnaul" | "Asia/Beirut" | "Asia/Bishkek" | "Asia/Brunei" | "Asia/Chita" | "Asia/Choibalsan" | "Asia/Chongqing" | "Asia/Colombo" | "Asia/Damascus" | "Asia/Dhaka" | "Asia/Dili" | "Asia/Dubai" | "Asia/Dushanbe" | "Asia/Famagusta" | "Asia/Gaza" | "Asia/Harbin" | "Asia/Hebron" | "Asia/Ho_Chi_Minh" | "Asia/Hong_Kong" | "Asia/Hovd" | "Asia/Irkutsk" | "Asia/Jakarta" | "Asia/Jayapura" | "Asia/Jerusalem" | "Asia/Kabul" | "Asia/Kamchatka" | "Asia/Karachi" | "Asia/Kashgar" | "Asia/Kathmandu" | "Asia/Khandyga" | "Asia/Kolkata" | "Asia/Krasnoyarsk" | "Asia/Kuala_Lumpur" | "Asia/Kuching" | "Asia/Kuwait" | "Asia/Macau" | "Asia/Magadan" | "Asia/Makassar" | "Asia/Manila" | "Asia/Muscat" | "Asia/Nicosia" | "Asia/Novokuznetsk" | "Asia/Novosibirsk" | "Asia/Omsk" | "Asia/Oral" | "Asia/Phnom_Penh" | "Asia/Pontianak" | "Asia/Pyongyang" | "Asia/Qatar" | "Asia/Qostanay" | "Asia/Qyzylorda" | "Asia/Riyadh" | "Asia/Sakhalin" | "Asia/Samarkand" | "Asia/Seoul" | "Asia/Shanghai" | "Asia/Singapore" | "Asia/Srednekolymsk" | "Asia/Taipei" | "Asia/Tashkent" | "Asia/Tbilisi" | "Asia/Tehran" | "Asia/Tel_Aviv" | "Asia/Thimphu" | "Asia/Tokyo" | "Asia/Tomsk" | "Asia/Ulaanbaatar" | "Asia/Urumqi" | "Asia/Ust-Nera" | "Asia/Vientiane" | "Asia/Vladivostok" | "Asia/Yakutsk" | "Asia/Yangon" | "Asia/Yekaterinburg" | "Asia/Yerevan" | "Atlantic/Azores" | "Atlantic/Bermuda" | "Atlantic/Canary" | "Atlantic/Cape_Verde" | "Atlantic/Faroe" | "Atlantic/Jan_Mayen" | "Atlantic/Madeira" | "Atlantic/Reykjavik" | "Atlantic/South_Georgia" | "Atlantic/St_Helena" | "Atlantic/Stanley" | "Australia/Adelaide" | "Australia/Brisbane" | "Australia/Broken_Hill" | "Australia/Currie" | "Australia/Darwin" | "Australia/Eucla" | "Australia/Hobart" | "Australia/Lindeman" | "Australia/Lord_Howe" | "Australia/Melbourne" | "Australia/Perth" | "Australia/Sydney" | "CET" | "CST6CDT" | "EET" | "EST" | "EST5EDT" | "Etc/GMT+1" | "Etc/GMT+10" | "Etc/GMT+11" | "Etc/GMT+12" | "Etc/GMT+2" | "Etc/GMT+3" | "Etc/GMT+4" | "Etc/GMT+5" | "Etc/GMT+6" | "Etc/GMT+7" | "Etc/GMT+8" | "Etc/GMT+9" | "Etc/GMT-1" | "Etc/GMT-10" | "Etc/GMT-11" | "Etc/GMT-12" | "Etc/GMT-13" | "Etc/GMT-14" | "Etc/GMT-2" | "Etc/GMT-3" | "Etc/GMT-4" | "Etc/GMT-5" | "Etc/GMT-6" | "Etc/GMT-7" | "Etc/GMT-8" | "Etc/GMT-9" | "Europe/Amsterdam" | "Europe/Andorra" | "Europe/Astrakhan" | "Europe/Athens" | "Europe/Belfast" | "Europe/Belgrade" | "Europe/Berlin" | "Europe/Brussels" | "Europe/Bucharest" | "Europe/Budapest" | "Europe/Chisinau" | "Europe/Copenhagen" | "Europe/Dublin" | "Europe/Gibraltar" | "Europe/Guernsey" | "Europe/Helsinki" | "Europe/Isle_of_Man" | "Europe/Istanbul" | "Europe/Jersey" | "Europe/Kaliningrad" | "Europe/Kirov" | "Europe/Kyiv" | "Europe/Lisbon" | "Europe/Ljubljana" | "Europe/London" | "Europe/Luxembourg" | "Europe/Madrid" | "Europe/Malta" | "Europe/Minsk" | "Europe/Monaco" | "Europe/Moscow" | "Europe/Oslo" | "Europe/Paris" | "Europe/Prague" | "Europe/Riga" | "Europe/Rome" | "Europe/Samara" | "Europe/Sarajevo" | "Europe/Saratov" | "Europe/Simferopol" | "Europe/Skopje" | "Europe/Sofia" | "Europe/Stockholm" | "Europe/Tallinn" | "Europe/Tirane" | "Europe/Tiraspol" | "Europe/Ulyanovsk" | "Europe/Uzhgorod" | "Europe/Vaduz" | "Europe/Vienna" | "Europe/Vilnius" | "Europe/Volgograd" | "Europe/Warsaw" | "Europe/Zagreb" | "Europe/Zaporozhye" | "Europe/Zurich" | "HST" | "Indian/Antananarivo" | "Indian/Chagos" | "Indian/Christmas" | "Indian/Cocos" | "Indian/Comoro" | "Indian/Kerguelen" | "Indian/Mahe" | "Indian/Maldives" | "Indian/Mauritius" | "Indian/Mayotte" | "Indian/Reunion" | "MET" | "MST" | "MST7MDT" | "PST8PDT" | "Pacific/Apia" | "Pacific/Auckland" | "Pacific/Bougainville" | "Pacific/Chatham" | "Pacific/Chuuk" | "Pacific/Easter" | "Pacific/Efate" | "Pacific/Enderbury" | "Pacific/Fakaofo" | "Pacific/Fiji" | "Pacific/Funafuti" | "Pacific/Galapagos" | "Pacific/Gambier" | "Pacific/Guadalcanal" | "Pacific/Guam" | "Pacific/Honolulu" | "Pacific/Johnston" | "Pacific/Kanton" | "Pacific/Kiritimati" | "Pacific/Kosrae" | "Pacific/Kwajalein" | "Pacific/Majuro" | "Pacific/Marquesas" | "Pacific/Midway" | "Pacific/Nauru" | "Pacific/Niue" | "Pacific/Norfolk" | "Pacific/Noumea" | "Pacific/Pago_Pago" | "Pacific/Palau" | "Pacific/Pitcairn" | "Pacific/Pohnpei" | "Pacific/Port_Moresby" | "Pacific/Rarotonga" | "Pacific/Saipan" | "Pacific/Tahiti" | "Pacific/Tarawa" | "Pacific/Tongatapu" | "Pacific/Wake" | "Pacific/Wallis" | "UTC" | "WET";
-    }>>>;
-}>;
-/**
- * A cryptographically CSRF token with expiration date.
- *
- * @category Internal
- */
-export type CsrfToken = typeof csrfTokenShape.runtimeType;
-/**
- * Default allowed clock skew for CSRF token expiration checks. Accounts for differences between
- * server and client clocks when checking token expiration.
+ * Default allowed clock skew for JWT expiration checks. Accounts for differences between server and
+ * client clocks.
  *
  * @category Internal
  * @default {minutes: 5}
  */
 export declare const defaultAllowedClockSkew: Readonly<AnyDuration>;
 /**
- * Generates a random, cryptographically secure CSRF token.
- *
- * @category Internal
- */
-export declare function generateCsrfToken(
-/** How long the CSRF token is valid for. */
-duration: Readonly<AnyDuration>): CsrfToken;
-/**
- * CSRF token failure reasons for {@link GetCsrfTokenResult}.
+ * Generates a random, cryptographically secure CSRF token string.
  *
  * @category Internal
  */
-export declare enum CsrfTokenFailureReason {
-    /** No CSRF token was found. */
-    DoesNotExist = "does-not-exist",
-    /** A CSRF token was found but parsing it failed. */
-    ParseFailed = "parse-failed",
-    /** A CSRF token was found and parsed but is expired. */
-    Expired = "expired"
-}
+export declare function generateCsrfToken(): string;
 /**
  * Options for specifying the CSRF token header name.
  *
@@ -76,15 +35,6 @@ export type CsrfHeaderNameOption = RequireExactlyOne<{
  * @category Auth : Host
  */
 export declare function resolveCsrfHeaderName(option: Readonly<CsrfHeaderNameOption>): string;
-/**
- * Output from {@link getCurrentCsrfToken}.
- *
- * @category Internal
- */
-export type GetCsrfTokenResult = RequireExactlyOne<{
-    csrfToken: Readonly<CsrfToken>;
-    failure: CsrfTokenFailureReason;
-}>;
 /**
  * Extract the CSRF token header from a response.
  *
@@ -92,20 +42,13 @@ export type GetCsrfTokenResult = RequireExactlyOne<{
  */
 export declare function extractCsrfTokenHeader(response: Readonly<PartialWithUndefined<SelectFrom<Response, {
     headers: true;
-}>>>, csrfHeaderNameOption: Readonly<CsrfHeaderNameOption>, options?: PartialWithUndefined<{
-    /**
-     * Allowed clock skew tolerance for CSRF token expiration checks.
-     *
-     * @default {minutes: 5}
-     */
-    allowedClockSkew: Readonly<AnyDuration>;
-}>): Readonly<GetCsrfTokenResult>;
+}>>>, csrfHeaderNameOption: Readonly<CsrfHeaderNameOption>): string | undefined;
 /**
  * Stores the given CSRF token into IndexedDB.
  *
  * @category Auth : Client
  */
-export declare function storeCsrfToken(csrfToken: Readonly<CsrfToken>, options: Readonly<CsrfHeaderNameOption> & PartialWithUndefined<{
+export declare function storeCsrfToken(csrfToken: string, options: Readonly<CsrfHeaderNameOption> & PartialWithUndefined<{
     /**
      * Allows mocking or overriding the default CSRF token store.
      *
@@ -113,20 +56,6 @@ export declare function storeCsrfToken(csrfToken: Readonly<CsrfToken>, options:
      */
     csrfTokenStore: CsrfTokenStore;
 }>): Promise<void>;
-/**
- * Parse a raw CSRF token JSON string.
- *
- * @category Internal
- */
-export declare function parseCsrfToken(value: string | undefined | null, options?: PartialWithUndefined<{
-    /**
-     * Allowed clock skew tolerance for CSRF token expiration checks. Accounts for differences
-     * between server and client clocks.
-     *
-     * @default {minutes: 5}
-     */
-    allowedClockSkew: Readonly<AnyDuration>;
-}>): Readonly<GetCsrfTokenResult>;
 /**
  * Used in client (frontend) code to retrieve the current CSRF token in order to send it with
  * requests to the host (backend).
@@ -140,13 +69,7 @@ export declare function getCurrentCsrfToken(options: Readonly<CsrfHeaderNameOpti
      * @default getDefaultCsrfTokenStore()
      */
     csrfTokenStore: CsrfTokenStore;
-    /**
-     * Allowed clock skew tolerance for CSRF token expiration checks.
-     *
-     * @default {minutes: 5}
-     */
-    allowedClockSkew: Readonly<AnyDuration>;
-}>): Promise<Readonly<GetCsrfTokenResult>>;
+}>): Promise<string | undefined>;
 /**
  * Wipes the current stored CSRF token. This should be used by client (frontend) code to react to a
  * session timeout.

package/dist/csrf-token.js

@@ -1,19 +1,8 @@
-import { randomString, wrapInTry, } from '@augment-vir/common';
-import { calculateRelativeDate, fullDateShape, getNowInUtcTimezone, isDateAfter, } from 'date-vir';
-import { defineShape, parseJsonWithShape } from 'object-shape-tester';
+import { randomString } from '@augment-vir/common';
 import { getDefaultCsrfTokenStore } from './csrf-token-store.js';
 /**
- * Shape definition for {@link CsrfToken}.
- *
- * @category Internal
- */
-export const csrfTokenShape = defineShape({
-    token: '',
-    expiration: fullDateShape,
-});
-/**
- * Default allowed clock skew for CSRF token expiration checks. Accounts for differences between
- * server and client clocks when checking token expiration.
+ * Default allowed clock skew for JWT expiration checks. Accounts for differences between server and
+ * client clocks.
  *
  * @category Internal
  * @default {minutes: 5}
@@ -22,32 +11,13 @@ export const defaultAllowedClockSkew = {
     minutes: 5,
 };
 /**
- * Generates a random, cryptographically secure CSRF token.
+ * Generates a random, cryptographically secure CSRF token string.
  *
  * @category Internal
  */
-export function generateCsrfToken(
-/** How long the CSRF token is valid for. */
-duration) {
-    return {
-        token: randomString(256),
-        expiration: calculateRelativeDate(getNowInUtcTimezone(), duration),
-    };
+export function generateCsrfToken() {
+    return randomString(256);
 }
-/**
- * CSRF token failure reasons for {@link GetCsrfTokenResult}.
- *
- * @category Internal
- */
-export var CsrfTokenFailureReason;
-(function (CsrfTokenFailureReason) {
-    /** No CSRF token was found. */
-    CsrfTokenFailureReason["DoesNotExist"] = "does-not-exist";
-    /** A CSRF token was found but parsing it failed. */
-    CsrfTokenFailureReason["ParseFailed"] = "parse-failed";
-    /** A CSRF token was found and parsed but is expired. */
-    CsrfTokenFailureReason["Expired"] = "expired";
-})(CsrfTokenFailureReason || (CsrfTokenFailureReason = {}));
 /**
  * Resolves a {@link CsrfHeaderNameOption} to the actual header name string.
  *
@@ -71,10 +41,9 @@ export function resolveCsrfHeaderName(option) {
  *
  * @category Auth : Client
  */
-export function extractCsrfTokenHeader(response, csrfHeaderNameOption, options) {
+export function extractCsrfTokenHeader(response, csrfHeaderNameOption) {
     const csrfTokenHeaderName = resolveCsrfHeaderName(csrfHeaderNameOption);
-    const rawCsrfToken = response.headers?.get(csrfTokenHeaderName);
-    return parseCsrfToken(rawCsrfToken, options);
+    return response.headers?.get(csrfTokenHeaderName) || undefined;
 }
 /**
  * Stores the given CSRF token into IndexedDB.
@@ -82,42 +51,7 @@ export function extractCsrfTokenHeader(response, csrfHeaderNameOption, options)
  * @category Auth : Client
  */
 export async function storeCsrfToken(csrfToken, options) {
-    await (options.csrfTokenStore || (await getDefaultCsrfTokenStore())).setCsrfToken(JSON.stringify(csrfToken));
-}
-/**
- * Parse a raw CSRF token JSON string.
- *
- * @category Internal
- */
-export function parseCsrfToken(value, options) {
-    if (!value) {
-        return {
-            failure: CsrfTokenFailureReason.DoesNotExist,
-        };
-    }
-    const csrfToken = wrapInTry(() => parseJsonWithShape(value, csrfTokenShape, {
-        /** For forwards / backwards compatibility. */
-        allowExtraKeys: true,
-    }), {
-        fallbackValue: undefined,
-    });
-    if (!csrfToken) {
-        return {
-            failure: CsrfTokenFailureReason.ParseFailed,
-        };
-    }
-    const effectiveExpiration = calculateRelativeDate(csrfToken.expiration, options?.allowedClockSkew || defaultAllowedClockSkew);
-    if (isDateAfter({
-        fullDate: getNowInUtcTimezone(),
-        relativeTo: effectiveExpiration,
-    })) {
-        return {
-            failure: CsrfTokenFailureReason.Expired,
-        };
-    }
-    return {
-        csrfToken,
-    };
+    await (options.csrfTokenStore || (await getDefaultCsrfTokenStore())).setCsrfToken(csrfToken);
 }
 /**
  * Used in client (frontend) code to retrieve the current CSRF token in order to send it with
@@ -126,9 +60,8 @@ export function parseCsrfToken(value, options) {
  * @category Auth : Client
  */
 export async function getCurrentCsrfToken(options) {
-    const rawCsrfToken = (await (options.csrfTokenStore || (await getDefaultCsrfTokenStore())).getCsrfToken()) ||
-        undefined;
-    return parseCsrfToken(rawCsrfToken, options);
+    return ((await (options.csrfTokenStore || (await getDefaultCsrfTokenStore())).getCsrfToken()) ||
+        undefined);
 }
 /**
  * Wipes the current stored CSRF token. This should be used by client (frontend) code to react to a

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "auth-vir",
-    "version": "3.1.1",
+    "version": "4.0.0",
     "description": "Auth made easy and secure via JWT cookies, CSRF tokens, and password hashing helpers.",
     "keywords": [
         "auth",

package/src/auth-client/backend-auth.client.ts

@@ -380,7 +380,7 @@ export class BackendAuthClient<
             });
 
             const csrfHeaderName = resolveCsrfHeaderName(this.config.csrf);
-            const {cookie, expiration} = await generateAuthCookie(
+            const {cookie} = await generateAuthCookie(
                 {
                     csrfToken: userIdResult.csrfToken,
                     userId: userIdResult.userId,
@@ -391,10 +391,7 @@ export class BackendAuthClient<
 
             return {
                 'set-cookie': cookie,
-                [csrfHeaderName]: JSON.stringify({
-                    token: userIdResult.csrfToken,
-                    expiration,
-                }),
+                [csrfHeaderName]: userIdResult.csrfToken,
             };
         } else {
             this.logForUser(

package/src/auth-client/frontend-auth.client.ts

@@ -12,7 +12,6 @@ import {type EmptyObject} from 'type-fest';
 import {type CsrfTokenStore} from '../csrf-token-store.js';
 import {
     type CsrfHeaderNameOption,
-    defaultAllowedClockSkew,
     extractCsrfTokenHeader,
     getCurrentCsrfToken,
     resolveCsrfHeaderName,
@@ -74,13 +73,6 @@ export type FrontendAuthClientConfig = Readonly<{
          * another user.
          */
         assumedUserHeaderName: string;
-        /**
-         * Allowed clock skew tolerance for CSRF token expiration checks. Accounts for differences
-         * between server and client clocks.
-         *
-         * @default {minutes: 5}
-         */
-        allowedClockSkew: Readonly<AnyDuration>;
 
         overrides: PartialWithUndefined<{
             localStorage: Pick<Storage, 'setItem' | 'removeItem' | 'getItem'>;
@@ -129,19 +121,12 @@ export class FrontendAuthClient<AssumedUserParams extends JsonCompatibleObject =
         this.removeActivityListener?.();
     }
 
-    /** Wraps {@link getCurrentCsrfToken} to automatically handle wiping an invalid CSRF token. */
+    /** Wraps {@link getCurrentCsrfToken} to retrieve the stored CSRF token string. */
     public async getCurrentCsrfToken(): Promise<string | undefined> {
-        const csrfTokenResult = await getCurrentCsrfToken({
+        return await getCurrentCsrfToken({
             ...this.config.csrf,
             csrfTokenStore: this.config.overrides?.csrfTokenStore,
-            allowedClockSkew: this.config.allowedClockSkew || defaultAllowedClockSkew,
         });
-
-        if (csrfTokenResult.failure) {
-            return undefined;
-        }
-
-        return csrfTokenResult.csrfToken.token;
     }
 
     /**
@@ -240,9 +225,7 @@ export class FrontendAuthClient<AssumedUserParams extends JsonCompatibleObject =
             throw new Error('Login response failed.');
         }
 
-        const {csrfToken} = extractCsrfTokenHeader(response, this.config.csrf, {
-            allowedClockSkew: this.config.allowedClockSkew || defaultAllowedClockSkew,
-        });
+        const csrfToken = extractCsrfTokenHeader(response, this.config.csrf);
 
         if (!csrfToken) {
             await this.logout();
@@ -282,17 +265,6 @@ export class FrontendAuthClient<AssumedUserParams extends JsonCompatibleObject =
             return false;
         }
 
-        /** If the response has a new CSRF token, store it. */
-        const {csrfToken} = extractCsrfTokenHeader(response, this.config.csrf, {
-            allowedClockSkew: this.config.allowedClockSkew || defaultAllowedClockSkew,
-        });
-        if (csrfToken) {
-            await storeCsrfToken(csrfToken, {
-                ...this.config.csrf,
-                csrfTokenStore: this.config.overrides?.csrfTokenStore,
-            });
-        }
-
         return true;
     }
 }

package/src/auth.ts

@@ -12,7 +12,6 @@ import {
     type CsrfHeaderNameOption,
     extractCsrfTokenHeader,
     generateCsrfToken,
-    parseCsrfToken,
     resolveCsrfHeaderName,
     storeCsrfToken,
 } from './csrf-token.js';
@@ -66,15 +65,7 @@ function readCsrfTokenHeader(
     headers: HeaderContainer,
     csrfHeaderNameOption: Readonly<CsrfHeaderNameOption>,
 ): string | undefined {
-    const rawCsrfToken = readHeader(headers, resolveCsrfHeaderName(csrfHeaderNameOption));
-
-    if (!rawCsrfToken) {
-        return undefined;
-    }
-
-    const token = parseCsrfToken(rawCsrfToken).csrfToken?.token || rawCsrfToken;
-
-    return token;
+    return readHeader(headers, resolveCsrfHeaderName(csrfHeaderNameOption));
 }
 
 /**
@@ -173,12 +164,12 @@ export async function generateSuccessfulLoginHeaders(
      */
     sessionStartedAt?: number | undefined,
 ): Promise<Record<string, string>> {
-    const csrfToken = generateCsrfToken(cookieConfig.cookieDuration);
+    const csrfToken = generateCsrfToken();
     const csrfHeaderName = resolveCsrfHeaderName(csrfHeaderNameOption);
 
-    const {cookie, expiration} = await generateAuthCookie(
+    const {cookie} = await generateAuthCookie(
         {
-            csrfToken: csrfToken.token,
+            csrfToken,
             userId,
             sessionStartedAt: sessionStartedAt ?? Date.now(),
         },
@@ -187,10 +178,7 @@ export async function generateSuccessfulLoginHeaders(
 
     return {
         'set-cookie': cookie,
-        [csrfHeaderName]: JSON.stringify({
-            token: csrfToken.token,
-            expiration,
-        }),
+        [csrfHeaderName]: csrfToken,
     };
 }
 
@@ -233,7 +221,7 @@ export async function handleAuthResponse(
         return;
     }
 
-    const {csrfToken} = extractCsrfTokenHeader(response, options);
+    const csrfToken = extractCsrfTokenHeader(response, options);
 
     if (!csrfToken) {
         throw new Error('Did not receive any CSRF token.');

package/src/csrf-token.ts

@@ -1,40 +1,11 @@
-import {
-    randomString,
-    wrapInTry,
-    type PartialWithUndefined,
-    type SelectFrom,
-} from '@augment-vir/common';
-import {
-    calculateRelativeDate,
-    fullDateShape,
-    getNowInUtcTimezone,
-    isDateAfter,
-    type AnyDuration,
-} from 'date-vir';
-import {defineShape, parseJsonWithShape} from 'object-shape-tester';
+import {randomString, type PartialWithUndefined, type SelectFrom} from '@augment-vir/common';
+import {type AnyDuration} from 'date-vir';
 import {type RequireExactlyOne} from 'type-fest';
 import {getDefaultCsrfTokenStore, type CsrfTokenStore} from './csrf-token-store.js';
 
 /**
- * Shape definition for {@link CsrfToken}.
- *
- * @category Internal
- */
-export const csrfTokenShape = defineShape({
-    token: '',
-    expiration: fullDateShape,
-});
-
-/**
- * A cryptographically CSRF token with expiration date.
- *
- * @category Internal
- */
-export type CsrfToken = typeof csrfTokenShape.runtimeType;
-
-/**
- * Default allowed clock skew for CSRF token expiration checks. Accounts for differences between
- * server and client clocks when checking token expiration.
+ * Default allowed clock skew for JWT expiration checks. Accounts for differences between server and
+ * client clocks.
  *
  * @category Internal
  * @default {minutes: 5}
@@ -44,32 +15,12 @@ export const defaultAllowedClockSkew: Readonly<AnyDuration> = {
 };
 
 /**
- * Generates a random, cryptographically secure CSRF token.
+ * Generates a random, cryptographically secure CSRF token string.
  *
  * @category Internal
  */
-export function generateCsrfToken(
-    /** How long the CSRF token is valid for. */
-    duration: Readonly<AnyDuration>,
-): CsrfToken {
-    return {
-        token: randomString(256),
-        expiration: calculateRelativeDate(getNowInUtcTimezone(), duration),
-    };
-}
-
-/**
- * CSRF token failure reasons for {@link GetCsrfTokenResult}.
- *
- * @category Internal
- */
-export enum CsrfTokenFailureReason {
-    /** No CSRF token was found. */
-    DoesNotExist = 'does-not-exist',
-    /** A CSRF token was found but parsing it failed. */
-    ParseFailed = 'parse-failed',
-    /** A CSRF token was found and parsed but is expired. */
-    Expired = 'expired',
+export function generateCsrfToken(): string {
+    return randomString(256);
 }
 
 /**
@@ -103,16 +54,6 @@ export function resolveCsrfHeaderName(option: Readonly<CsrfHeaderNameOption>): s
     }
 }
 
-/**
- * Output from {@link getCurrentCsrfToken}.
- *
- * @category Internal
- */
-export type GetCsrfTokenResult = RequireExactlyOne<{
-    csrfToken: Readonly<CsrfToken>;
-    failure: CsrfTokenFailureReason;
-}>;
-
 /**
  * Extract the CSRF token header from a response.
  *
@@ -121,20 +62,10 @@ export type GetCsrfTokenResult = RequireExactlyOne<{
 export function extractCsrfTokenHeader(
     response: Readonly<PartialWithUndefined<SelectFrom<Response, {headers: true}>>>,
     csrfHeaderNameOption: Readonly<CsrfHeaderNameOption>,
-    options?: PartialWithUndefined<{
-        /**
-         * Allowed clock skew tolerance for CSRF token expiration checks.
-         *
-         * @default {minutes: 5}
-         */
-        allowedClockSkew: Readonly<AnyDuration>;
-    }>,
-): Readonly<GetCsrfTokenResult> {
+): string | undefined {
     const csrfTokenHeaderName = resolveCsrfHeaderName(csrfHeaderNameOption);
 
-    const rawCsrfToken = response.headers?.get(csrfTokenHeaderName);
-
-    return parseCsrfToken(rawCsrfToken, options);
+    return response.headers?.get(csrfTokenHeaderName) || undefined;
 }
 
 /**
@@ -143,7 +74,7 @@ export function extractCsrfTokenHeader(
  * @category Auth : Client
  */
 export async function storeCsrfToken(
-    csrfToken: Readonly<CsrfToken>,
+    csrfToken: string,
     options: Readonly<CsrfHeaderNameOption> &
         PartialWithUndefined<{
             /**
@@ -154,70 +85,7 @@ export async function storeCsrfToken(
             csrfTokenStore: CsrfTokenStore;
         }>,
 ): Promise<void> {
-    await (options.csrfTokenStore || (await getDefaultCsrfTokenStore())).setCsrfToken(
-        JSON.stringify(csrfToken),
-    );
-}
-
-/**
- * Parse a raw CSRF token JSON string.
- *
- * @category Internal
- */
-export function parseCsrfToken(
-    value: string | undefined | null,
-    options?: PartialWithUndefined<{
-        /**
-         * Allowed clock skew tolerance for CSRF token expiration checks. Accounts for differences
-         * between server and client clocks.
-         *
-         * @default {minutes: 5}
-         */
-        allowedClockSkew: Readonly<AnyDuration>;
-    }>,
-): Readonly<GetCsrfTokenResult> {
-    if (!value) {
-        return {
-            failure: CsrfTokenFailureReason.DoesNotExist,
-        };
-    }
-
-    const csrfToken: CsrfToken | undefined = wrapInTry(
-        () =>
-            parseJsonWithShape(value, csrfTokenShape, {
-                /** For forwards / backwards compatibility. */
-                allowExtraKeys: true,
-            }),
-        {
-            fallbackValue: undefined,
-        },
-    );
-
-    if (!csrfToken) {
-        return {
-            failure: CsrfTokenFailureReason.ParseFailed,
-        };
-    }
-
-    const effectiveExpiration = calculateRelativeDate(
-        csrfToken.expiration,
-        options?.allowedClockSkew || defaultAllowedClockSkew,
-    );
-
-    if (
-        isDateAfter({
-            fullDate: getNowInUtcTimezone(),
-            relativeTo: effectiveExpiration,
-        })
-    ) {
-        return {
-            failure: CsrfTokenFailureReason.Expired,
-        };
-    }
-
-    return {
-        csrfToken,
-    };
+    await (options.csrfTokenStore || (await getDefaultCsrfTokenStore())).setCsrfToken(csrfToken);
 }
 
 /**
@@ -235,19 +103,12 @@ export async function getCurrentCsrfToken(
              * @default getDefaultCsrfTokenStore()
              */
             csrfTokenStore: CsrfTokenStore;
-            /**
-             * Allowed clock skew tolerance for CSRF token expiration checks.
-             *
-             * @default {minutes: 5}
-             */
-            allowedClockSkew: Readonly<AnyDuration>;
         }>,
-): Promise<Readonly<GetCsrfTokenResult>> {
-    const rawCsrfToken: string | undefined =
+): Promise<string | undefined> {
+    return (
         (await (options.csrfTokenStore || (await getDefaultCsrfTokenStore())).getCsrfToken()) ||
-        undefined;
-
-    return parseCsrfToken(rawCsrfToken, options);
+        undefined
+    );
 }
 
 /**