tijs.org / atproto-sessions
Framework-agnostic session management for AT Protocol applications using Iron Session encryption
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Fix mobile token cookie compatibility

Tijs Teulings 02b8e9ac 1e0c5dbb

+32 -5
+11
CHANGELOG.md
··· 2 2 3 3 All notable changes to this project will be documented in this file. 4 4 5 + ## [1.0.1] - 2025-11-28 6 + 7 + ### Fixed 8 + 9 + - **Mobile token cookie compatibility**: `sealToken` now produces tokens that 10 + are compatible with cookie-based session validation. Mobile tokens now include 11 + `createdAt` and `lastAccessed` fields and use TTL, matching the cookie format. 12 + - **Defensive session extraction**: `getSessionFromRequest` now handles missing 13 + `createdAt` field gracefully, providing a default value for backward 14 + compatibility with older mobile tokens. 15 + 5 16 ## [1.0.0] - 2025-11-28 6 17 7 18 ### Breaking Changes
+1 -1
deno.json
··· 1 1 { 2 2 "$schema": "https://jsr.io/schema/config-file.v1.json", 3 3 "name": "@tijs/atproto-sessions", 4 - "version": "1.0.0", 4 + "version": "1.0.1", 5 5 "license": "MIT", 6 6 "exports": "./mod.ts", 7 7 "publish": {
+20 -4
src/sessions.ts
··· 154 154 155 155 this.logger.info( 156 156 `Session extracted: DID=${sessionData.did}, created=${ 157 - new Date(sessionData.createdAt).toISOString() 157 + sessionData.createdAt 158 + ? new Date(sessionData.createdAt).toISOString() 159 + : "N/A (mobile token)" 158 160 }`, 159 161 ); 160 162 161 163 // Create refreshed session with updated lastAccessed 164 + // Provide defaults for missing fields (backward compatibility with old mobile tokens) 165 + const now = Date.now(); 162 166 const refreshedData: CookieSessionData = { 163 167 did: sessionData.did, 164 - createdAt: sessionData.createdAt, 165 - lastAccessed: Date.now(), 168 + createdAt: sessionData.createdAt ?? now, 169 + lastAccessed: now, 166 170 }; 167 171 168 172 const setCookieHeader = await this.createSession(refreshedData); ··· 223 227 /** 224 228 * Seal data into a mobile Bearer token. 225 229 * 230 + * Creates a token that is compatible with cookie-based session validation, 231 + * so mobile apps can use this token either as a Bearer token or as a cookie value. 232 + * 226 233 * @param data - Data to seal (typically just { did }) 227 234 * @returns Sealed token string 228 235 */ 229 236 async sealToken(data: MobileTokenData): Promise<string> { 230 - return await sealData(data, { 237 + // Include createdAt and lastAccessed for cookie compatibility 238 + // This allows mobile tokens to work as cookie values 239 + const now = Date.now(); 240 + const sessionData: CookieSessionData = { 241 + did: data.did, 242 + createdAt: now, 243 + lastAccessed: now, 244 + }; 245 + return await sealData(sessionData, { 231 246 password: this.cookieSecret, 247 + ttl: this.sessionTtl, 232 248 }); 233 249 } 234 250