auth-vir 4.0.0 → 5.0.1

package/dist/cookie.js

@@ -1,6 +1,6 @@
 import { check } from '@augment-vir/assert';
-import { escapeStringForRegExp, safeMatch } from '@augment-vir/common';
-import { calculateRelativeDate, convertDuration, getNowInUtcTimezone, } from 'date-vir';
+import { escapeStringForRegExp, safeMatch, } from '@augment-vir/common';
+import { convertDuration } from 'date-vir';
 import { parseUrl } from 'url-vir';
 import { createUserJwt, parseUserJwt } from './jwt/user-jwt.js';
 /**
@@ -8,34 +8,66 @@ import { createUserJwt, parseUserJwt } from './jwt/user-jwt.js';
  *
  * @category Internal
  */
-export var AuthCookieName;
-(function (AuthCookieName) {
+export var AuthCookie;
+(function (AuthCookie) {
     /** Used for a full user login auth. */
-    AuthCookieName["Auth"] = "auth";
+    AuthCookie["Auth"] = "auth";
     /** Use for a temporary "just signed up" auth. */
-    AuthCookieName["SignUp"] = "sign-up";
-})(AuthCookieName || (AuthCookieName = {}));
+    AuthCookie["SignUp"] = "sign-up";
+    /** Used for storing the CSRF token. Not `HttpOnly` so that frontend JS can read it. */
+    AuthCookie["Csrf"] = "auth-vir-csrf";
+})(AuthCookie || (AuthCookie = {}));
+function generateSetCookie({ name, value, httpOnly, cookieConfig, }) {
+    return generateCookie({
+        [name]: value,
+        Domain: parseUrl(cookieConfig.hostOrigin).hostname,
+        HttpOnly: httpOnly,
+        Path: '/',
+        SameSite: 'Strict',
+        'MAX-AGE': cookieConfig.cookieDuration
+            ? convertDuration(cookieConfig.cookieDuration, {
+                seconds: true,
+            }).seconds
+            : 0,
+        Secure: !cookieConfig.isDev,
+    });
+}
 /**
  * Generate a secure cookie that stores the user JWT data. Used in host (backend) code.
  *
  * @category Internal
  */
 export async function generateAuthCookie(userJwtData, cookieConfig) {
-    const expiration = calculateRelativeDate(getNowInUtcTimezone(), cookieConfig.cookieDuration);
-    return {
-        cookie: generateCookie({
-            [cookieConfig.cookieName || 'auth']: await createUserJwt(userJwtData, cookieConfig.jwtParams),
-            Domain: parseUrl(cookieConfig.hostOrigin).hostname,
-            HttpOnly: true,
-            Path: '/',
-            SameSite: 'Strict',
-            'MAX-AGE': convertDuration(cookieConfig.cookieDuration, {
-                seconds: true,
-            }).seconds,
-            Secure: !cookieConfig.isDev,
-        }),
-        expiration,
-    };
+    return generateSetCookie({
+        name: cookieConfig.authCookie || AuthCookie.Auth,
+        value: await createUserJwt(userJwtData, cookieConfig.jwtParams),
+        httpOnly: true,
+        cookieConfig,
+    });
+}
+/**
+ * Generate a CSRF token cookie. This cookie is intentionally not `HttpOnly` so that frontend
+ * JavaScript can read it and inject the value as a request header for double-submit verification.
+ *
+ * The CSRF cookie uses a fixed 400-day MAX-AGE rather than matching the auth cookie duration. 400
+ * days is the cross-browser safe maximum (Chrome caps cookie lifetimes at 400 days; other browsers
+ * accept it as-is). The CSRF token is only meaningful when paired with a valid JWT, so it doesn't
+ * need its own expiration management. It gets regenerated on every fresh login.
+ *
+ * @category Internal
+ */
+export function generateCsrfCookie(csrfToken, cookieConfig) {
+    return generateSetCookie({
+        name: AuthCookie.Csrf,
+        value: csrfToken,
+        httpOnly: false,
+        cookieConfig: {
+            ...cookieConfig,
+            cookieDuration: {
+                days: 400,
+            },
+        },
+    });
 }
 /**
  * Generate a cookie value that will clear the previous auth cookie. Use this when signing out.
@@ -43,14 +75,24 @@ export async function generateAuthCookie(userJwtData, cookieConfig) {
  * @category Internal
  */
 export function clearAuthCookie(cookieConfig) {
-    return generateCookie({
-        [cookieConfig.cookieName || 'auth']: 'redacted',
-        Domain: parseUrl(cookieConfig.hostOrigin).hostname,
-        HttpOnly: true,
-        Path: '/',
-        SameSite: 'Strict',
-        'MAX-AGE': 0,
-        Secure: !cookieConfig.isDev,
+    return generateSetCookie({
+        name: cookieConfig.authCookie || AuthCookie.Auth,
+        value: 'redacted',
+        httpOnly: true,
+        cookieConfig,
+    });
+}
+/**
+ * Generate a cookie value that will clear the CSRF token cookie. Use this when signing out.
+ *
+ * @category Internal
+ */
+export function clearCsrfCookie(cookieConfig) {
+    return generateSetCookie({
+        name: AuthCookie.Csrf,
+        value: 'redacted',
+        httpOnly: false,
+        cookieConfig,
     });
 }
 /**
@@ -83,7 +125,7 @@ export function generateCookie(params) {
  * @category Internal
  * @returns The extracted auth Cookie JWT data or `undefined` if no valid auth JWT data was found.
  */
-export async function extractCookieJwt(rawCookie, jwtParams, cookieName = AuthCookieName.Auth) {
+export async function extractCookieJwt(rawCookie, jwtParams, cookieName) {
     const cookieRegExp = new RegExp(`${escapeStringForRegExp(cookieName)}=[^;]+(?:;|$)`);
     const [cookieValue] = safeMatch(rawCookie, cookieRegExp);
     if (!cookieValue) {

package/dist/csrf-token.d.ts

@@ -1,15 +1,4 @@
-import { type PartialWithUndefined, type SelectFrom } from '@augment-vir/common';
-import { type AnyDuration } from 'date-vir';
 import { type RequireExactlyOne } from 'type-fest';
-import { type CsrfTokenStore } from './csrf-token-store.js';
-/**
- * Default allowed clock skew for JWT expiration checks. Accounts for differences between server and
- * client clocks.
- *
- * @category Internal
- * @default {minutes: 5}
- */
-export declare const defaultAllowedClockSkew: Readonly<AnyDuration>;
 /**
  * Generates a random, cryptographically secure CSRF token string.
  *
@@ -34,53 +23,11 @@ export type CsrfHeaderNameOption = RequireExactlyOne<{
  * @category Auth : Client
  * @category Auth : Host
  */
-export declare function resolveCsrfHeaderName(option: Readonly<CsrfHeaderNameOption>): string;
-/**
- * Extract the CSRF token header from a response.
- *
- * @category Auth : Client
- */
-export declare function extractCsrfTokenHeader(response: Readonly<PartialWithUndefined<SelectFrom<Response, {
-    headers: true;
-}>>>, csrfHeaderNameOption: Readonly<CsrfHeaderNameOption>): string | undefined;
-/**
- * Stores the given CSRF token into IndexedDB.
- *
- * @category Auth : Client
- */
-export declare function storeCsrfToken(csrfToken: string, options: Readonly<CsrfHeaderNameOption> & PartialWithUndefined<{
-    /**
-     * Allows mocking or overriding the default CSRF token store.
-     *
-     * @default getDefaultCsrfTokenStore()
-     */
-    csrfTokenStore: CsrfTokenStore;
-}>): Promise<void>;
-/**
- * Used in client (frontend) code to retrieve the current CSRF token in order to send it with
- * requests to the host (backend).
- *
- * @category Auth : Client
- */
-export declare function getCurrentCsrfToken(options: Readonly<CsrfHeaderNameOption> & PartialWithUndefined<{
-    /**
-     * Allows mocking or overriding the default CSRF token store.
-     *
-     * @default getDefaultCsrfTokenStore()
-     */
-    csrfTokenStore: CsrfTokenStore;
-}>): Promise<string | undefined>;
+export declare function resolveCsrfHeaderName(options: Readonly<CsrfHeaderNameOption>): string;
 /**
- * Wipes the current stored CSRF token. This should be used by client (frontend) code to react to a
- * session timeout.
+ * Used in client (frontend) code to retrieve the current CSRF token from the browser cookie in
+ * order to send it with requests to the host (backend).
  *
  * @category Auth : Client
  */
-export declare function wipeCurrentCsrfToken(options: Readonly<CsrfHeaderNameOption> & PartialWithUndefined<{
-    /**
-     * Allows mocking or overriding the default CSRF token store.
-     *
-     * @default getDefaultCsrfTokenStore()
-     */
-    csrfTokenStore: CsrfTokenStore;
-}>): Promise<void>;
+export declare function getCurrentCsrfToken(): string | undefined;

package/dist/csrf-token.js

@@ -1,15 +1,6 @@
-import { randomString } from '@augment-vir/common';
-import { getDefaultCsrfTokenStore } from './csrf-token-store.js';
-/**
- * Default allowed clock skew for JWT expiration checks. Accounts for differences between server and
- * client clocks.
- *
- * @category Internal
- * @default {minutes: 5}
- */
-export const defaultAllowedClockSkew = {
-    minutes: 5,
-};
+import { check } from '@augment-vir/assert';
+import { escapeStringForRegExp, randomString, safeMatch } from '@augment-vir/common';
+import { AuthCookie } from './cookie.js';
 /**
  * Generates a random, cryptographically secure CSRF token string.
  *
@@ -24,51 +15,28 @@ export function generateCsrfToken() {
  * @category Auth : Client
  * @category Auth : Host
  */
-export function resolveCsrfHeaderName(option) {
-    if ('csrfHeaderName' in option && option.csrfHeaderName) {
-        return option.csrfHeaderName;
+export function resolveCsrfHeaderName(options) {
+    if ('csrfHeaderName' in options && options.csrfHeaderName) {
+        return options.csrfHeaderName;
     }
     else {
         return [
-            option.csrfHeaderPrefix,
+            options.csrfHeaderPrefix,
             'auth-vir',
             'csrf-token',
-        ].join('-');
+        ]
+            .filter(check.isTruthy)
+            .join('-');
     }
 }
 /**
- * Extract the CSRF token header from a response.
- *
- * @category Auth : Client
- */
-export function extractCsrfTokenHeader(response, csrfHeaderNameOption) {
-    const csrfTokenHeaderName = resolveCsrfHeaderName(csrfHeaderNameOption);
-    return response.headers?.get(csrfTokenHeaderName) || undefined;
-}
-/**
- * Stores the given CSRF token into IndexedDB.
- *
- * @category Auth : Client
- */
-export async function storeCsrfToken(csrfToken, options) {
-    await (options.csrfTokenStore || (await getDefaultCsrfTokenStore())).setCsrfToken(csrfToken);
-}
-/**
- * Used in client (frontend) code to retrieve the current CSRF token in order to send it with
- * requests to the host (backend).
- *
- * @category Auth : Client
- */
-export async function getCurrentCsrfToken(options) {
-    return ((await (options.csrfTokenStore || (await getDefaultCsrfTokenStore())).getCsrfToken()) ||
-        undefined);
-}
-/**
- * Wipes the current stored CSRF token. This should be used by client (frontend) code to react to a
- * session timeout.
+ * Used in client (frontend) code to retrieve the current CSRF token from the browser cookie in
+ * order to send it with requests to the host (backend).
  *
  * @category Auth : Client
  */
-export async function wipeCurrentCsrfToken(options) {
-    await (options.csrfTokenStore || (await getDefaultCsrfTokenStore())).deleteCsrfToken();
+export function getCurrentCsrfToken() {
+    const cookieRegExp = new RegExp(`${escapeStringForRegExp(AuthCookie.Csrf)}=([^;]+)`);
+    const [, value,] = safeMatch(globalThis.document.cookie, cookieRegExp);
+    return value || undefined;
 }

package/dist/index.d.ts

@@ -3,11 +3,9 @@ export * from './auth-client/frontend-auth.client.js';
 export * from './auth-client/is-session-refresh-ready.js';
 export * from './auth.js';
 export * from './cookie.js';
-export * from './csrf-token-store.js';
 export * from './csrf-token.js';
 export * from './hash.js';
 export * from './headers.js';
 export * from './jwt/jwt-keys.js';
 export * from './jwt/jwt.js';
 export * from './jwt/user-jwt.js';
-export * from './mock-csrf-token-store.js';

package/dist/index.js

@@ -3,11 +3,9 @@ export * from './auth-client/frontend-auth.client.js';
 export * from './auth-client/is-session-refresh-ready.js';
 export * from './auth.js';
 export * from './cookie.js';
-export * from './csrf-token-store.js';
 export * from './csrf-token.js';
 export * from './hash.js';
 export * from './headers.js';
 export * from './jwt/jwt-keys.js';
 export * from './jwt/jwt.js';
 export * from './jwt/user-jwt.js';
-export * from './mock-csrf-token-store.js';

package/dist/jwt/jwt.d.ts

@@ -1,6 +1,14 @@
-import { type AnyObject, type PartialWithUndefined } from '@augment-vir/common';
+import { type AnyObject, type PartialWithUndefined, type SelectFrom } from '@augment-vir/common';
 import { type AnyDuration, type DateLike, type FullDate, type UtcTimezone } from 'date-vir';
 import { type JwtKeys } from './jwt-keys.js';
+/**
+ * Default allowed clock skew for JWT expiration checks. Accounts for differences between server and
+ * client clocks.
+ *
+ * @category Internal
+ * @default {minutes: 5}
+ */
+export declare const defaultAllowedClockSkew: Readonly<AnyDuration>;
 /**
  * Params for {@link createJwt}.
  *
@@ -85,7 +93,11 @@ data: JwtData, params: Readonly<CreateJwtParams>): Promise<string>;
  *
  * @category Internal
  */
-export type ParseJwtParams = Readonly<Pick<CreateJwtParams, 'issuer' | 'audience' | 'jwtKeys'>> & PartialWithUndefined<{
+export type ParseJwtParams = Readonly<SelectFrom<CreateJwtParams, {
+    issuer: true;
+    audience: true;
+    jwtKeys: true;
+}>> & PartialWithUndefined<{
     /**
      * Allowed clock skew tolerance for JWT expiration and timestamp checks. Accounts for
      * differences between server and client clocks.

package/dist/jwt/jwt.js

@@ -1,7 +1,6 @@
 import { assertWrap, check } from '@augment-vir/assert';
 import { calculateRelativeDate, convertDuration, createFullDateInUserTimezone, createUtcFullDate, getNowInUtcTimezone, toTimestamp, } from 'date-vir';
 import { EncryptJWT, jwtDecrypt, jwtVerify, SignJWT } from 'jose';
-import { defaultAllowedClockSkew } from '../csrf-token.js';
 const encryptionProtectedHeader = {
     alg: 'dir',
     enc: 'A256GCM',
@@ -9,6 +8,16 @@ const encryptionProtectedHeader = {
 const signingProtectedHeader = {
     alg: 'HS512',
 };
+/**
+ * Default allowed clock skew for JWT expiration checks. Accounts for differences between server and
+ * client clocks.
+ *
+ * @category Internal
+ * @default {minutes: 5}
+ */
+export const defaultAllowedClockSkew = {
+    minutes: 5,
+};
 /**
  * JWT uses seconds since the epoch per RFC 7519, whereas `toTimestamp` uses milliseconds.
  *

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "auth-vir",
-    "version": "4.0.0",
+    "version": "5.0.1",
     "description": "Auth made easy and secure via JWT cookies, CSRF tokens, and password hashing helpers.",
     "keywords": [
         "auth",
@@ -41,21 +41,20 @@
         "test:web": "virmator test web"
     },
     "dependencies": {
-        "@augment-vir/assert": "^31.68.1",
-        "@augment-vir/common": "^31.68.1",
+        "@augment-vir/assert": "^31.68.2",
+        "@augment-vir/common": "^31.68.2",
         "date-vir": "^8.2.1",
         "detect-activity": "^1.0.0",
         "hash-wasm": "^4.12.0",
         "jose": "^6.2.1",
-        "local-db-client": "^1.0.0",
         "object-shape-tester": "^6.11.0",
         "type-fest": "^5.4.4",
         "url-vir": "^2.1.7"
     },
     "devDependencies": {
-        "@augment-vir/test": "^31.68.1",
+        "@augment-vir/test": "^31.68.2",
         "@prisma/client": "^6.19.2",
-        "@types/node": "^25.3.3",
+        "@types/node": "^25.5.0",
         "@web/dev-server-esbuild": "^1.0.5",
         "@web/test-runner": "^0.20.2",
         "@web/test-runner-commands": "^0.9.0",

package/src/auth-client/backend-auth.client.ts

@@ -21,15 +21,11 @@ import {
     insecureExtractUserIdFromCookieAlone,
     type UserIdResult,
 } from '../auth.js';
-import {AuthCookieName, generateAuthCookie, type CookieParams} from '../cookie.js';
-import {
-    defaultAllowedClockSkew,
-    resolveCsrfHeaderName,
-    type CsrfHeaderNameOption,
-} from '../csrf-token.js';
+import {AuthCookie, generateAuthCookie, generateCsrfCookie, type CookieParams} from '../cookie.js';
+import {type CsrfHeaderNameOption} from '../csrf-token.js';
 import {AuthHeaderName, mergeHeaderValues} from '../headers.js';
 import {generateNewJwtKeys, parseJwtKeys, type JwtKeys, type RawJwtKeys} from '../jwt/jwt-keys.js';
-import {type CreateJwtParams, type ParseJwtParams} from '../jwt/jwt.js';
+import {defaultAllowedClockSkew, type CreateJwtParams, type ParseJwtParams} from '../jwt/jwt.js';
 import {isSessionRefreshReady} from './is-session-refresh-ready.js';
 
 /**
@@ -254,7 +250,7 @@ export class BackendAuthClient<
             hostOrigin: serviceOrigin || this.config.serviceOrigin,
             jwtParams: await this.getJwtParams(),
             isDev: this.config.isDev,
-            cookieName: isSignUpCookie ? AuthCookieName.SignUp : AuthCookieName.Auth,
+            authCookie: isSignUpCookie ? AuthCookie.SignUp : AuthCookie.Auth,
         };
     }
 
@@ -373,14 +369,13 @@ export class BackendAuthClient<
         });
 
         if (isRefreshReady) {
-            const isSignUpCookie = userIdResult.cookieName === AuthCookieName.SignUp;
+            const isSignUpCookie = userIdResult.cookieName === AuthCookie.SignUp;
             const cookieParams = await this.getCookieParams({
                 isSignUpCookie,
                 requestHeaders,
             });
 
-            const csrfHeaderName = resolveCsrfHeaderName(this.config.csrf);
-            const {cookie} = await generateAuthCookie(
+            const authCookie = await generateAuthCookie(
                 {
                     csrfToken: userIdResult.csrfToken,
                     userId: userIdResult.userId,
@@ -388,10 +383,13 @@ export class BackendAuthClient<
                 },
                 cookieParams,
             );
+            const csrfCookie = generateCsrfCookie(userIdResult.csrfToken, cookieParams);
 
             return {
-                'set-cookie': cookie,
-                [csrfHeaderName]: userIdResult.csrfToken,
+                'set-cookie': [
+                    authCookie,
+                    csrfCookie,
+                ],
             };
         } else {
             this.logForUser(
@@ -466,7 +464,7 @@ export class BackendAuthClient<
             requestHeaders,
             await this.getJwtParams(),
             this.config.csrf,
-            isSignUpCookie ? AuthCookieName.SignUp : AuthCookieName.Auth,
+            isSignUpCookie ? AuthCookie.SignUp : AuthCookie.Auth,
         );
         if (!userIdResult) {
             this.logForUser(
@@ -510,16 +508,31 @@ export class BackendAuthClient<
             user,
         });
 
-        const cookieRefreshHeaders =
-            (await this.createCookieRefreshHeaders({
-                userIdResult,
-                requestHeaders,
-            })) || {};
+        const cookieRefreshHeaders = allowUserAuthRefresh
+            ? await this.createCookieRefreshHeaders({
+                  userIdResult,
+                  requestHeaders,
+              })
+            : undefined;
+
+        /**
+         * Always include the CSRF cookie so it gets re-established if the browser clears it. When
+         * session refresh fires, its headers already include a CSRF cookie.
+         */
+        const csrfCookie = generateCsrfCookie(userIdResult.csrfToken, {
+            hostOrigin:
+                (await this.config.generateServiceOrigin?.({
+                    requestHeaders,
+                })) || this.config.serviceOrigin,
+            isDev: this.config.isDev,
+        });
 
         return {
             user: assumedUser || user,
             isAssumed: !!assumedUser,
-            responseHeaders: allowUserAuthRefresh ? cookieRefreshHeaders : {},
+            responseHeaders: {
+                'set-cookie': mergeHeaderValues(cookieRefreshHeaders?.['set-cookie'], csrfCookie),
+            },
         };
     }
 
@@ -604,8 +617,8 @@ export class BackendAuthClient<
         userId: UserId;
         cookieParams: Readonly<CookieParams>;
         existingUserIdResult: Readonly<UserIdResult<UserId>>;
-    }): Promise<Record<string, string>> {
-        const {cookie} = await generateAuthCookie(
+    }): Promise<Record<string, string | string[]>> {
+        const authCookie = await generateAuthCookie(
             {
                 csrfToken: existingUserIdResult.csrfToken,
                 userId,
@@ -614,8 +627,13 @@ export class BackendAuthClient<
             cookieParams,
         );
 
+        const csrfCookie = generateCsrfCookie(existingUserIdResult.csrfToken, cookieParams);
+
         return {
-            'set-cookie': cookie,
+            'set-cookie': [
+                authCookie,
+                csrfCookie,
+            ],
         };
     }
 
@@ -629,7 +647,7 @@ export class BackendAuthClient<
         requestHeaders: IncomingHttpHeaders;
         isSignUpCookie: boolean;
     }): Promise<OutgoingHttpHeaders> {
-        const oppositeCookieName = isSignUpCookie ? AuthCookieName.Auth : AuthCookieName.SignUp;
+        const oppositeCookieName = isSignUpCookie ? AuthCookie.Auth : AuthCookie.SignUp;
         const hasExistingOppositeCookie = requestHeaders.cookie?.includes(`${oppositeCookieName}=`);
 
         const discardOppositeCookieHeaders = hasExistingOppositeCookie
@@ -645,7 +663,7 @@ export class BackendAuthClient<
             requestHeaders,
             await this.getJwtParams(),
             this.config.csrf,
-            isSignUpCookie ? AuthCookieName.SignUp : AuthCookieName.Auth,
+            isSignUpCookie ? AuthCookie.SignUp : AuthCookie.Auth,
         );
 
         const cookieParams = await this.getCookieParams({
@@ -659,7 +677,7 @@ export class BackendAuthClient<
                   cookieParams,
                   existingUserIdResult,
               })
-            : await generateSuccessfulLoginHeaders(userId, cookieParams, this.config.csrf);
+            : await generateSuccessfulLoginHeaders(userId, cookieParams);
 
         return {
             ...newCookieHeaders,
@@ -738,7 +756,7 @@ export class BackendAuthClient<
         const userIdResult = await insecureExtractUserIdFromCookieAlone<UserId>(
             requestHeaders,
             await this.getJwtParams(),
-            AuthCookieName.Auth,
+            AuthCookie.Auth,
         );
 
         if (!userIdResult) {

package/src/auth-client/frontend-auth.client.ts

@@ -9,13 +9,10 @@ import {
 import {type AnyDuration} from 'date-vir';
 import {listenToActivity} from 'detect-activity';
 import {type EmptyObject} from 'type-fest';
-import {type CsrfTokenStore} from '../csrf-token-store.js';
 import {
     type CsrfHeaderNameOption,
-    extractCsrfTokenHeader,
     getCurrentCsrfToken,
     resolveCsrfHeaderName,
-    storeCsrfToken,
 } from '../csrf-token.js';
 import {AuthHeaderName} from '../headers.js';
 
@@ -75,8 +72,7 @@ export type FrontendAuthClientConfig = Readonly<{
         assumedUserHeaderName: string;
 
         overrides: PartialWithUndefined<{
-            localStorage: Pick<Storage, 'setItem' | 'removeItem' | 'getItem'>;
-            csrfTokenStore: CsrfTokenStore;
+            localStorage: SelectFrom<Storage, {setItem: true; removeItem: true; getItem: true}>;
         }>;
     }>;
 
@@ -121,14 +117,6 @@ export class FrontendAuthClient<AssumedUserParams extends JsonCompatibleObject =
         this.removeActivityListener?.();
     }
 
-    /** Wraps {@link getCurrentCsrfToken} to retrieve the stored CSRF token string. */
-    public async getCurrentCsrfToken(): Promise<string | undefined> {
-        return await getCurrentCsrfToken({
-            ...this.config.csrf,
-            csrfTokenStore: this.config.overrides?.csrfTokenStore,
-        });
-    }
-
     /**
      * Assume the given user. Pass `undefined` to wipe the currently assumed user.
      *
@@ -174,8 +162,8 @@ export class FrontendAuthClient<AssumedUserParams extends JsonCompatibleObject =
      * `@augment-vir/common`](https://electrovir.github.io/augment-vir/functions/mergeDeep.html) to
      * combine them with these.
      */
-    public async createAuthenticatedRequestInit(): Promise<RequestInit> {
-        const csrfToken = await this.getCurrentCsrfToken();
+    public createAuthenticatedRequestInit(): RequestInit {
+        const csrfToken = getCurrentCsrfToken();
 
         const assumedUser = this.getAssumedUser();
         const headers: HeadersInit = {
@@ -204,38 +192,18 @@ export class FrontendAuthClient<AssumedUserParams extends JsonCompatibleObject =
     }
 
     /**
-     * Use to handle a login response. Automatically stores the CSRF token.
+     * Use to handle a login response. The CSRF token cookie is automatically stored by the browser
+     * from the `Set-Cookie` response header.
      *
      * @throws Error if the login response failed.
-     * @throws Error if the login response has an invalid CSRF token.
      */
     public async handleLoginResponse(
-        response: Readonly<
-            SelectFrom<
-                Response,
-                {
-                    headers: true;
-                    ok: true;
-                }
-            >
-        >,
+        response: Readonly<SelectFrom<Response, {ok: true}>>,
     ): Promise<void> {
         if (!response.ok) {
             await this.logout();
             throw new Error('Login response failed.');
         }
-
-        const csrfToken = extractCsrfTokenHeader(response, this.config.csrf);
-
-        if (!csrfToken) {
-            await this.logout();
-            throw new Error('Did not receive any CSRF token.');
-        }
-
-        await storeCsrfToken(csrfToken, {
-            ...this.config.csrf,
-            csrfTokenStore: this.config.overrides?.csrfTokenStore,
-        });
     }
 
     /**