Follow-up to #956 (auth hardening review). Missing tests on existing behavior.
Context
#956 added 87-session-lifecycle.spec.ts (logout destroys session; logging out one session leaves a concurrent one alive; unauth rejected). More session invariants remain unasserted.
Proposed coverage
- Expired sessions are cleaned up on next login.
- Session refresh extends expiry and returns an up-to-date user.
- A JWT/cookie whose underlying session row was terminated server-side is rejected.
updatedAt is NOT bumped on session create / logout / refresh (matches Better Auth semantics).
Acceptance
- Extend
87-session-lifecycle.spec.ts (or add integration tests) covering the above against a real session store.
Follow-up to #956 (auth hardening review). Missing tests on existing behavior.
Context
#956 added
87-session-lifecycle.spec.ts(logout destroys session; logging out one session leaves a concurrent one alive; unauth rejected). More session invariants remain unasserted.Proposed coverage
updatedAtis NOT bumped on session create / logout / refresh (matches Better Auth semantics).Acceptance
87-session-lifecycle.spec.ts(or add integration tests) covering the above against a real session store.