auth-vir 5.0.0 → 5.0.2

package/dist/auth-client/backend-auth.client.js

@@ -1,391 +0,0 @@
-import { ensureArray, } from '@augment-vir/common';
-import { calculateRelativeDate, createUtcFullDate, getNowInUtcTimezone, isDateAfter, } from 'date-vir';
-import { extractUserIdFromRequestHeaders, generateLogoutHeaders, generateSuccessfulLoginHeaders, insecureExtractUserIdFromCookieAlone, } from '../auth.js';
-import { AuthCookie, generateAuthCookie, generateCsrfCookie } from '../cookie.js';
-import { AuthHeaderName, mergeHeaderValues } from '../headers.js';
-import { parseJwtKeys } from '../jwt/jwt-keys.js';
-import { defaultAllowedClockSkew } from '../jwt/jwt.js';
-import { isSessionRefreshReady } from './is-session-refresh-ready.js';
-const defaultSessionIdleTimeout = {
-    minutes: 20,
-};
-const defaultSessionRefreshStartTime = {
-    minutes: 2,
-};
-const defaultMaxSessionDuration = {
-    days: 1.5,
-};
-/**
- * An auth client for creating and validating JWTs embedded in cookies. This should only be used in
- * a backend environment as it accesses native Node packages.
- *
- * @category Auth : Host
- * @category Clients
- */
-export class BackendAuthClient {
-    config;
-    cachedParsedJwtKeys = {};
-    constructor(config) {
-        this.config = config;
-    }
-    /** Conditionally logs a message if logging is enabled for the given user context. */
-    logForUser(params, message, extra) {
-        if (this.config.enableLogging?.(params)) {
-            const extraData = {
-                userId: params.userId,
-                ...extra,
-            };
-            if (this.config.log) {
-                this.config.log(message, extraData);
-            }
-            else {
-                console.info(`[auth-vir] ${message}`, extraData);
-            }
-        }
-    }
-    /** Get all the parameters used for cookie generation. */
-    async getCookieParams({ isSignUpCookie, requestHeaders, }) {
-        const serviceOrigin = requestHeaders
-            ? await this.config.generateServiceOrigin?.({
-                requestHeaders,
-            })
-            : undefined;
-        return {
-            cookieDuration: this.config.userSessionIdleTimeout || defaultSessionIdleTimeout,
-            hostOrigin: serviceOrigin || this.config.serviceOrigin,
-            jwtParams: await this.getJwtParams(),
-            isDev: this.config.isDev,
-            authCookie: isSignUpCookie ? AuthCookie.SignUp : AuthCookie.Auth,
-        };
-    }
-    /** Calls the provided `getUserFromDatabase` config. */
-    async getDatabaseUser({ isSignUpCookie, userId, assumingUser, requestHeaders, }) {
-        if (!userId) {
-            return undefined;
-        }
-        const authenticatedUser = await this.config.getUserFromDatabase({
-            assumingUser,
-            userId,
-            isSignUpCookie,
-            requestHeaders,
-        });
-        if (!authenticatedUser) {
-            this.logForUser({
-                user: undefined,
-                userId,
-                assumedUserParams: assumingUser,
-            }, 'getUserFromDatabase returned no user', {
-                isSignUpCookie,
-            });
-            return undefined;
-        }
-        return authenticatedUser;
-    }
-    /** Creates a `'cookie-set'` header to refresh the user's session cookie. */
-    async createCookieRefreshHeaders({ userIdResult, requestHeaders, }) {
-        const now = getNowInUtcTimezone();
-        const clockSkew = this.config.allowedClockSkew || defaultAllowedClockSkew;
-        /** Double check that the JWT hasn't already expired (with clock skew tolerance). */
-        const isExpiredAlready = isDateAfter({
-            fullDate: now,
-            relativeTo: calculateRelativeDate(userIdResult.jwtExpiration, clockSkew),
-        });
-        if (isExpiredAlready) {
-            this.logForUser({
-                user: undefined,
-                userId: userIdResult.userId,
-                assumedUserParams: undefined,
-            }, 'Session refresh denied: JWT already expired (even with clock skew tolerance)', {
-                jwtExpiration: userIdResult.jwtExpiration,
-                now: JSON.stringify(now),
-            });
-            return undefined;
-        }
-        /**
-         * Check if the session has exceeded the max session duration. If so, don't refresh the
-         * session and let it expire naturally.
-         */
-        const maxSessionDuration = this.config.maxSessionDuration || defaultMaxSessionDuration;
-        if (userIdResult.sessionStartedAt) {
-            const sessionStartDate = createUtcFullDate(userIdResult.sessionStartedAt);
-            const maxSessionEndDate = calculateRelativeDate(sessionStartDate, maxSessionDuration);
-            const isSessionExpired = isDateAfter({
-                fullDate: now,
-                relativeTo: maxSessionEndDate,
-            });
-            if (isSessionExpired) {
-                this.logForUser({
-                    user: undefined,
-                    userId: userIdResult.userId,
-                    assumedUserParams: undefined,
-                }, 'Session refresh denied: max session duration exceeded', {
-                    sessionStartedAt: userIdResult.sessionStartedAt,
-                    maxSessionEndDate: JSON.stringify(maxSessionEndDate),
-                    now: JSON.stringify(now),
-                });
-                return undefined;
-            }
-        }
-        const sessionRefreshStartTime = this.config.sessionRefreshStartTime || defaultSessionRefreshStartTime;
-        const isRefreshReady = isSessionRefreshReady({
-            now,
-            jwtIssuedAt: userIdResult.jwtIssuedAt,
-            sessionRefreshStartTime,
-        });
-        if (isRefreshReady) {
-            const isSignUpCookie = userIdResult.cookieName === AuthCookie.SignUp;
-            const cookieParams = await this.getCookieParams({
-                isSignUpCookie,
-                requestHeaders,
-            });
-            const authCookie = await generateAuthCookie({
-                csrfToken: userIdResult.csrfToken,
-                userId: userIdResult.userId,
-                sessionStartedAt: userIdResult.sessionStartedAt || Date.now(),
-            }, cookieParams);
-            const csrfCookie = generateCsrfCookie(userIdResult.csrfToken, cookieParams);
-            return {
-                'set-cookie': [
-                    authCookie,
-                    csrfCookie,
-                ],
-            };
-        }
-        else {
-            this.logForUser({
-                user: undefined,
-                userId: userIdResult.userId,
-                assumedUserParams: undefined,
-            }, 'Session refresh skipped: not yet ready for refresh', {
-                jwtIssuedAt: userIdResult.jwtIssuedAt,
-                sessionRefreshStartTime,
-            });
-            return undefined;
-        }
-    }
-    /** Reads the user's assumed user headers and, if configured, gets the assumed user. */
-    async getAssumedUser({ requestHeaders, user, }) {
-        if (!this.config.assumeUser || !(await this.config.assumeUser.canAssumeUser(user))) {
-            return undefined;
-        }
-        const assumedUserHeader = ensureArray(requestHeaders[this.config.assumedUserHeaderName || AuthHeaderName.AssumedUser])[0];
-        if (!assumedUserHeader) {
-            return undefined;
-        }
-        const parsedAssumedUserData = await this.config.assumeUser.parseAssumedUserHeaderValue(assumedUserHeader);
-        if (!parsedAssumedUserData || !parsedAssumedUserData.userId) {
-            return undefined;
-        }
-        const assumedUser = await this.getDatabaseUser({
-            isSignUpCookie: false,
-            userId: parsedAssumedUserData.userId,
-            assumingUser: parsedAssumedUserData.assumedUserParams,
-            requestHeaders,
-        });
-        return assumedUser;
-    }
-    /** Securely extract a user from their request headers. */
-    async getSecureUser({ requestHeaders, isSignUpCookie, allowUserAuthRefresh, }) {
-        const userIdResult = await extractUserIdFromRequestHeaders(requestHeaders, await this.getJwtParams(), this.config.csrf, isSignUpCookie ? AuthCookie.SignUp : AuthCookie.Auth);
-        if (!userIdResult) {
-            this.logForUser({
-                user: undefined,
-                userId: undefined,
-                assumedUserParams: undefined,
-            }, 'getSecureUser: failed to extract user ID from request headers (invalid JWT, missing cookie, or CSRF mismatch)', {
-                isSignUpCookie,
-            });
-            return undefined;
-        }
-        const user = await this.getDatabaseUser({
-            userId: userIdResult.userId,
-            assumingUser: undefined,
-            isSignUpCookie,
-            requestHeaders,
-        });
-        if (!user) {
-            this.logForUser({
-                user: undefined,
-                userId: userIdResult.userId,
-                assumedUserParams: undefined,
-            }, 'getSecureUser: user not found in database', {
-                isSignUpCookie,
-            });
-            return undefined;
-        }
-        const assumedUser = await this.getAssumedUser({
-            requestHeaders,
-            user,
-        });
-        const cookieRefreshHeaders = allowUserAuthRefresh
-            ? await this.createCookieRefreshHeaders({
-                userIdResult,
-                requestHeaders,
-            })
-            : undefined;
-        /**
-         * Always include the CSRF cookie so it gets re-established if the browser clears it. When
-         * session refresh fires, its headers already include a CSRF cookie.
-         */
-        const csrfCookie = generateCsrfCookie(userIdResult.csrfToken, {
-            hostOrigin: (await this.config.generateServiceOrigin?.({
-                requestHeaders,
-            })) || this.config.serviceOrigin,
-            isDev: this.config.isDev,
-        });
-        return {
-            user: assumedUser || user,
-            isAssumed: !!assumedUser,
-            responseHeaders: {
-                'set-cookie': mergeHeaderValues(cookieRefreshHeaders?.['set-cookie'], csrfCookie),
-            },
-        };
-    }
-    /**
-     * Get all the JWT params used when creating the auth cookie, in case you need them for
-     * something else too.
-     */
-    async getJwtParams() {
-        const rawJwtKeys = await this.config.getJwtKeys();
-        const cacheKey = JSON.stringify(rawJwtKeys);
-        const cachedParsedKeys = this.cachedParsedJwtKeys[cacheKey];
-        const parsedKeys = cachedParsedKeys || (await parseJwtKeys(rawJwtKeys));
-        if (!cachedParsedKeys) {
-            this.cachedParsedJwtKeys = {
-                [cacheKey]: parsedKeys,
-            };
-        }
-        return {
-            jwtKeys: parsedKeys,
-            audience: 'server-context',
-            issuer: 'server-auth',
-            jwtDuration: this.config.userSessionIdleTimeout || defaultSessionIdleTimeout,
-            allowedClockSkew: this.config.allowedClockSkew || defaultAllowedClockSkew,
-        };
-    }
-    /** Use these headers to log out the user. */
-    async createLogoutHeaders(params) {
-        const signUpCookieHeaders = params.allCookies || params.isSignUpCookie
-            ? generateLogoutHeaders(await this.getCookieParams({
-                isSignUpCookie: true,
-                requestHeaders: undefined,
-            }))
-            : undefined;
-        const authCookieHeaders = params.allCookies || !params.isSignUpCookie
-            ? generateLogoutHeaders(await this.getCookieParams({
-                isSignUpCookie: false,
-                requestHeaders: undefined,
-            }))
-            : undefined;
-        return {
-            'set-cookie': mergeHeaderValues(signUpCookieHeaders?.['set-cookie'], authCookieHeaders?.['set-cookie']),
-        };
-    }
-    /**
-     * Refreshes a login session by reissuing the auth cookie with the same CSRF token instead of
-     * generating a new one.
-     */
-    async refreshLoginHeaders({ userId, cookieParams, existingUserIdResult, }) {
-        const authCookie = await generateAuthCookie({
-            csrfToken: existingUserIdResult.csrfToken,
-            userId,
-            sessionStartedAt: existingUserIdResult.sessionStartedAt,
-        }, cookieParams);
-        const csrfCookie = generateCsrfCookie(existingUserIdResult.csrfToken, cookieParams);
-        return {
-            'set-cookie': [
-                authCookie,
-                csrfCookie,
-            ],
-        };
-    }
-    /** Use these headers to log a user in. */
-    async createLoginHeaders({ userId, requestHeaders, isSignUpCookie, }) {
-        const oppositeCookieName = isSignUpCookie ? AuthCookie.Auth : AuthCookie.SignUp;
-        const hasExistingOppositeCookie = requestHeaders.cookie?.includes(`${oppositeCookieName}=`);
-        const discardOppositeCookieHeaders = hasExistingOppositeCookie
-            ? generateLogoutHeaders(await this.getCookieParams({
-                isSignUpCookie: !isSignUpCookie,
-                requestHeaders,
-            }))
-            : undefined;
-        const existingUserIdResult = await extractUserIdFromRequestHeaders(requestHeaders, await this.getJwtParams(), this.config.csrf, isSignUpCookie ? AuthCookie.SignUp : AuthCookie.Auth);
-        const cookieParams = await this.getCookieParams({
-            isSignUpCookie,
-            requestHeaders,
-        });
-        const newCookieHeaders = existingUserIdResult
-            ? await this.refreshLoginHeaders({
-                userId,
-                cookieParams,
-                existingUserIdResult,
-            })
-            : await generateSuccessfulLoginHeaders(userId, cookieParams);
-        return {
-            ...newCookieHeaders,
-            'set-cookie': mergeHeaderValues(newCookieHeaders['set-cookie'], discardOppositeCookieHeaders?.['set-cookie']),
-            ...(isSignUpCookie
-                ? {
-                    [AuthHeaderName.IsSignUpAuth]: 'true',
-                }
-                : {}),
-        };
-    }
-    /** Combines `.getInsecureUser()` and `.getSecureUser()` into one method. */
-    async getInsecureOrSecureUser(params) {
-        const secureUser = await this.getSecureUser(params);
-        if (secureUser) {
-            return {
-                secureUser,
-            };
-        }
-        // eslint-disable-next-line @typescript-eslint/no-deprecated
-        const insecureUser = await this.getInsecureUser(params);
-        return insecureUser
-            ? {
-                insecureUser,
-            }
-            : {};
-    }
-    /**
-     * @deprecated This only half authenticates the user. It should only be used in circumstances
-     *   where JavaScript cannot be used to attach the CSRF token header to the request (like when
-     *   opening a PDF file). Use `.getSecureUser()` instead, whenever possible.
-     */
-    async getInsecureUser({ requestHeaders, allowUserAuthRefresh, }) {
-        // eslint-disable-next-line @typescript-eslint/no-deprecated
-        const userIdResult = await insecureExtractUserIdFromCookieAlone(requestHeaders, await this.getJwtParams(), AuthCookie.Auth);
-        if (!userIdResult) {
-            this.logForUser({
-                user: undefined,
-                userId: undefined,
-                assumedUserParams: undefined,
-            }, 'getInsecureUser: failed to extract user ID from cookie (invalid JWT or missing cookie)');
-            return undefined;
-        }
-        const user = await this.getDatabaseUser({
-            isSignUpCookie: false,
-            userId: userIdResult.userId,
-            assumingUser: undefined,
-            requestHeaders,
-        });
-        if (!user) {
-            this.logForUser({
-                user: undefined,
-                userId: userIdResult.userId,
-                assumedUserParams: undefined,
-            }, 'getInsecureUser: user not found in database');
-            return undefined;
-        }
-        const refreshHeaders = allowUserAuthRefresh &&
-            (await this.createCookieRefreshHeaders({
-                userIdResult,
-                requestHeaders,
-            }));
-        return {
-            user,
-            isAssumed: false,
-            responseHeaders: refreshHeaders || {},
-        };
-    }
-}

package/dist/auth-client/frontend-auth.client.d.ts

@@ -1,113 +0,0 @@
-import { type createBlockingInterval, type JsonCompatibleObject, type MaybePromise, type PartialWithUndefined, type SelectFrom } from '@augment-vir/common';
-import { type AnyDuration } from 'date-vir';
-import { type EmptyObject } from 'type-fest';
-import { type CsrfHeaderNameOption } from '../csrf-token.js';
-/**
- * Config for {@link FrontendAuthClient}.
- *
- * @category Internal
- */
-export type FrontendAuthClientConfig = Readonly<{
-    csrf: Readonly<CsrfHeaderNameOption>;
-}> & PartialWithUndefined<{
-    /**
-     * Determine if the current user can assume the identity of another user. If this is not
-     * defined, all users will be blocked from assuming other user identities.
-     */
-    canAssumeUser: () => MaybePromise<boolean>;
-    /** Called whenever the current user becomes unauthorized and their CSRF token is wiped. */
-    authClearedCallback: () => MaybePromise<void>;
-    /**
-     * Performs automatic checks on an interval to see if the user is still authenticated. Omit
-     * this to turn off automatic checks.
-     */
-    checkUser: {
-        /**
-         * Get a response from the backend to see if the user is still authenticated. If the
-         * response returns a non-authorized status, the user is wiped. Any other status is
-         * ignored.
-         *
-         * If the user is not currently authorized, this should return `undefined` to prevent
-         * unnecessary network traffic.
-         *
-         * This will be called any time the user interacts with the page, debounced by the
-         * adjacent `debounce` property.
-         */
-        performCheck: () => MaybePromise<SelectFrom<Response, {
-            status: true;
-        }> | undefined>;
-        /**
-         * Debounce for firing `performCheck`.
-         *
-         * @default {minutes: 1}
-         */
-        debounce?: AnyDuration | undefined;
-    };
-    /**
-     * Overwrite the header name used for tracking is an admin is assuming the identity of
-     * another user.
-     */
-    assumedUserHeaderName: string;
-    overrides: PartialWithUndefined<{
-        localStorage: SelectFrom<Storage, {
-            setItem: true;
-            removeItem: true;
-            getItem: true;
-        }>;
-    }>;
-}>;
-/**
- * An auth client for sending and validating client requests to a backend. This should only be used
- * in a frontend environment as it accesses native browser APIs.
- *
- * @category Auth : Client
- * @category Clients
- */
-export declare class FrontendAuthClient<AssumedUserParams extends JsonCompatibleObject = EmptyObject> {
-    protected readonly config: FrontendAuthClientConfig;
-    protected userCheckInterval: undefined | ReturnType<typeof createBlockingInterval>;
-    /** Used to clean up the activity listener on `.destroy()`. */
-    protected removeActivityListener: VoidFunction | undefined;
-    constructor(config: FrontendAuthClientConfig);
-    /**
-     * Destroys the client and performs all necessary cleanup (like clearing the user check
-     * interval).
-     */
-    destroy(): void;
-    /**
-     * Assume the given user. Pass `undefined` to wipe the currently assumed user.
-     *
-     * @returns Whether the assumed user setting or clearing succeeded or not.
-     */
-    assumeUser(assumedUserParams: Readonly<AssumedUserParams> | undefined): Promise<boolean>;
-    /** Gets the assumed user params stored in local storage, if any. */
-    getAssumedUser(): AssumedUserParams | undefined;
-    /**
-     * Creates a `RequestInit` object for the `fetch` API. If you have other request init options,
-     * use [`mergeDeep` from
-     * `@augment-vir/common`](https://electrovir.github.io/augment-vir/functions/mergeDeep.html) to
-     * combine them with these.
-     */
-    createAuthenticatedRequestInit(): RequestInit;
-    /** Wipes the current user auth. */
-    logout(): Promise<void>;
-    /**
-     * Use to handle a login response. The CSRF token cookie is automatically stored by the browser
-     * from the `Set-Cookie` response header.
-     *
-     * @throws Error if the login response failed.
-     */
-    handleLoginResponse(response: Readonly<SelectFrom<Response, {
-        ok: true;
-    }>>): Promise<void>;
-    /**
-     * Use to verify _all_ responses received from the backend. Immediately logs the user out once
-     * an unauthorized response is detected.
-     *
-     * @returns `true` if the auth is okay, `false` otherwise.
-     */
-    verifyResponseAuth(response: Readonly<PartialWithUndefined<SelectFrom<Response, {
-        status: true;
-        headers: true;
-    }>>>): Promise<boolean>;
-}

package/dist/auth-client/frontend-auth.client.js

@@ -1,131 +0,0 @@
-import { HttpStatus, } from '@augment-vir/common';
-import { listenToActivity } from 'detect-activity';
-import { getCurrentCsrfToken, resolveCsrfHeaderName, } from '../csrf-token.js';
-import { AuthHeaderName } from '../headers.js';
-/**
- * An auth client for sending and validating client requests to a backend. This should only be used
- * in a frontend environment as it accesses native browser APIs.
- *
- * @category Auth : Client
- * @category Clients
- */
-export class FrontendAuthClient {
-    config;
-    userCheckInterval;
-    /** Used to clean up the activity listener on `.destroy()`. */
-    removeActivityListener;
-    constructor(config) {
-        this.config = config;
-        if (config.checkUser) {
-            this.removeActivityListener = listenToActivity({
-                listener: async () => {
-                    const response = await config.checkUser?.performCheck();
-                    if (response) {
-                        await this.verifyResponseAuth({
-                            status: response.status,
-                        });
-                    }
-                },
-                debounce: config.checkUser.debounce || {
-                    minutes: 1,
-                },
-                fireImmediately: false,
-            });
-        }
-    }
-    /**
-     * Destroys the client and performs all necessary cleanup (like clearing the user check
-     * interval).
-     */
-    destroy() {
-        this.userCheckInterval?.clearInterval();
-        this.removeActivityListener?.();
-    }
-    /**
-     * Assume the given user. Pass `undefined` to wipe the currently assumed user.
-     *
-     * @returns Whether the assumed user setting or clearing succeeded or not.
-     */
-    async assumeUser(assumedUserParams) {
-        const localStorage = this.config.overrides?.localStorage || globalThis.localStorage;
-        const storageKey = this.config.assumedUserHeaderName || AuthHeaderName.AssumedUser;
-        if (!assumedUserParams) {
-            localStorage.removeItem(storageKey);
-            return true;
-        }
-        else if (!(await this.config.canAssumeUser?.())) {
-            return false;
-        }
-        localStorage.setItem(storageKey, JSON.stringify(assumedUserParams));
-        return true;
-    }
-    /** Gets the assumed user params stored in local storage, if any. */
-    getAssumedUser() {
-        const rawValue = (this.config.overrides?.localStorage || globalThis.localStorage).getItem(this.config.assumedUserHeaderName || AuthHeaderName.AssumedUser);
-        if (!rawValue) {
-            return undefined;
-        }
-        try {
-            return JSON.parse(rawValue);
-        }
-        catch {
-            return undefined;
-        }
-    }
-    /**
-     * Creates a `RequestInit` object for the `fetch` API. If you have other request init options,
-     * use [`mergeDeep` from
-     * `@augment-vir/common`](https://electrovir.github.io/augment-vir/functions/mergeDeep.html) to
-     * combine them with these.
-     */
-    createAuthenticatedRequestInit() {
-        const csrfToken = getCurrentCsrfToken();
-        const assumedUser = this.getAssumedUser();
-        const headers = {
-            ...(csrfToken
-                ? {
-                    [resolveCsrfHeaderName(this.config.csrf)]: csrfToken,
-                }
-                : {}),
-            ...(assumedUser
-                ? {
-                    [this.config.assumedUserHeaderName || AuthHeaderName.AssumedUser]: JSON.stringify(assumedUser),
-                }
-                : {}),
-        };
-        return {
-            headers,
-            credentials: 'include',
-        };
-    }
-    /** Wipes the current user auth. */
-    async logout() {
-        await this.config.authClearedCallback?.();
-    }
-    /**
-     * Use to handle a login response. The CSRF token cookie is automatically stored by the browser
-     * from the `Set-Cookie` response header.
-     *
-     * @throws Error if the login response failed.
-     */
-    async handleLoginResponse(response) {
-        if (!response.ok) {
-            await this.logout();
-            throw new Error('Login response failed.');
-        }
-    }
-    /**
-     * Use to verify _all_ responses received from the backend. Immediately logs the user out once
-     * an unauthorized response is detected.
-     *
-     * @returns `true` if the auth is okay, `false` otherwise.
-     */
-    async verifyResponseAuth(response) {
-        if (response.status === HttpStatus.Unauthorized &&
-            !response.headers?.get(AuthHeaderName.IsSignUpAuth)) {
-            await this.logout();
-            return false;
-        }
-        return true;
-    }
-}

package/dist/auth-client/is-session-refresh-ready.d.ts

@@ -1,23 +0,0 @@
-import { type AnyDuration, type FullDate, type UtcTimezone } from 'date-vir';
-/**
- * Determines if enough time has passed since the JWT was issued to start refreshing the session.
- *
- * Visually, this check looks like this:
- *
- *      I====R===========E
- *
- * - I = JWT issued time (from the JWT's `iat` claim)
- * - R = session refreshing is available now (I + sessionRefreshStartTime)
- * - E = JWT expiration
- * - `=` between R and E = the time frame in which the return value is `true`.
- *
- * @category Auth : Host
- */
-export declare function isSessionRefreshReady({ now, jwtIssuedAt, sessionRefreshStartTime, }: {
-    /** The current time. */
-    now?: Readonly<FullDate<UtcTimezone>> | undefined;
-    /** When the JWT was issued (`iat` claim). */
-    jwtIssuedAt: Readonly<FullDate<UtcTimezone>>;
-    /** How long after JWT issuance before refreshing is available. */
-    sessionRefreshStartTime: Readonly<AnyDuration>;
-}): boolean;

package/dist/auth-client/is-session-refresh-ready.js

@@ -1,21 +0,0 @@
-import { calculateRelativeDate, getNowInUtcTimezone, isDateAfter, } from 'date-vir';
-/**
- * Determines if enough time has passed since the JWT was issued to start refreshing the session.
- *
- * Visually, this check looks like this:
- *
- *      I====R===========E
- *
- * - I = JWT issued time (from the JWT's `iat` claim)
- * - R = session refreshing is available now (I + sessionRefreshStartTime)
- * - E = JWT expiration
- * - `=` between R and E = the time frame in which the return value is `true`.
- *
- * @category Auth : Host
- */
-export function isSessionRefreshReady({ now = getNowInUtcTimezone(), jwtIssuedAt, sessionRefreshStartTime, }) {
-    return isDateAfter({
-        fullDate: now,
-        relativeTo: calculateRelativeDate(jwtIssuedAt, sessionRefreshStartTime),
-    });
-}