Skip to content

Session lifecycle: deeper invariant tests (expiry cleanup, refresh, updatedAt) #960

Description

@lane711

Follow-up to #956 (auth hardening review). Missing tests on existing behavior.

Context

#956 added 87-session-lifecycle.spec.ts (logout destroys session; logging out one session leaves a concurrent one alive; unauth rejected). More session invariants remain unasserted.

Proposed coverage

  • Expired sessions are cleaned up on next login.
  • Session refresh extends expiry and returns an up-to-date user.
  • A JWT/cookie whose underlying session row was terminated server-side is rejected.
  • updatedAt is NOT bumped on session create / logout / refresh (matches Better Auth semantics).

Acceptance

  • Extend 87-session-lifecycle.spec.ts (or add integration tests) covering the above against a real session store.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions