fix: Change time-related variables to use milliseconds

Author: aabccd021

README.md

@@ -51,8 +51,8 @@ function dbInit(): sqlite.Database {
   db.run(`
     CREATE TABLE IF NOT EXISTS session (
       id_hash TEXT PRIMARY KEY,
-      session_exp INTEGER NOT NULL,
-      token_exp INTEGER NOT NULL,
+      session_exp_epoch_ms INTEGER NOT NULL,
+      token_exp_epoch_ms INTEGER NOT NULL,
       token_1_hash TEXT NOT NULL,
       token_2_hash TEXT
     )
@@ -66,8 +66,8 @@ function dbSelectSession(db: sqlite.Database, idHash: string): tcs.SessionData |
     return undefined;
   }
   return {
-    sessionExp: new Date(row.session_exp),
-    tokenExp: new Date(row.token_exp),
+    sessionExpEpochMs: row.session_exp_epoch_ms,
+    tokenExpEpochMs: row.token_exp_epoch_ms,
     token1Hash: row.token_1_hash,
     token2Hash: row.token_2_hash,
   };
@@ -76,13 +76,13 @@ function dbSelectSession(db: sqlite.Database, idHash: string): tcs.SessionData |
 function dbSetSession(db: sqlite.Database, action: tcs.SetSessionAction): void {
   db.query(
     `
-      INSERT OR REPLACE INTO session (id_hash, session_exp, token_exp, token_1_hash, token_2_hash)
-      VALUES (:idHash, :sessionExp, :tokenExp, :token1Hash, :token2Hash)
+      INSERT OR REPLACE INTO session (id_hash, session_exp_epoch_ms, token_exp_epoch_ms, token_1_hash, token_2_hash)
+      VALUES (:idHash, :sessionExpEpochMs, :tokenExpEpochMs, :token1Hash, :token2Hash)
     `,
   ).run({
     idHash: action.idHash,
-    sessionExp: action.sessionData.sessionExp.getTime(),
-    tokenExp: action.sessionData.tokenExp.getTime(),
+    sessionExpEpochMs: action.sessionData.sessionExpEpochMs,
+    tokenExpEpochMs: action.sessionData.tokenExpEpochMs,
     token1Hash: action.sessionData.token1Hash,
     token2Hash: action.sessionData.token2Hash,
   });
@@ -208,8 +208,8 @@ You can use custom expiration times by passing configuration options to the func
 import * as tcs from "tiny-cookie-session";
 
 const config = {
-  sessionExpiresIn: 5 * 60 * 60 * 1000, // 5 hours
-  tokenExpiresIn: 10 * 60 * 1000, // 10 minutes
+  sessionExpiresInMs: 5 * 60 * 60 * 1000, // 5 hours
+  tokenExpiresInMs: 10 * 60 * 1000, // 10 minutes
 };
 
 tcs.consume({ config /* other params */ });
@@ -219,21 +219,21 @@ tcs.login({ config });
 
 ### Session Expiration Time
 
-The `sessionExpiresIn` value controls how long a session can remain active without user interaction,
+The `sessionExpiresInMs` value controls how long a session can remain active without user interaction,
 often referred to as "log out after X minutes of inactivity."
 
-For example, with `sessionExpiresIn: 30 * 60 * 1000` (30 minutes),
+For example, with `sessionExpiresInMs: 30 * 60 * 1000` (30 minutes),
 a user can remain logged in indefinitely by making requests at least every 29 minutes.
 
 ### Token Expiration Time
 
-The `tokenExpiresIn` value controls how often the token is rotated.
+The `tokenExpiresInMs` value controls how often the token is rotated.
 When a token expires but the session is still valid, the system generates a new token.
 
 You should set this to a value as short as possible, but still longer than the longest HTTP request
 time your users might experience.
 For example, if your app might take up to 3 minutes (in a single request) for uploading large files,
-you should set `tokenExpiresIn` to 3 minutes.
+you should set `tokenExpiresInMs` to 3 minutes.
 The only reason we don't rotate the token on every request is to handle a race condition
 where the user makes two requests at the same time.
 
@@ -280,7 +280,7 @@ or to identify attackers from other signals (e.g., IP address, User-Agent, geolo
 
 There are two possible approaches to mitigate this risk:
 
-1. Set a short session expiration time (`sessionExpiresIn`).
+1. Set a short session expiration time (`sessionExpiresInMs`).
 2. Implement a "Don't remember me" option.
 
 The "Don't remember me" feature can be implemented by removing the `Expires` and `Max-Age`

index.d.ts

@@ -1,22 +1,22 @@
 export type CookieOptions = {
-  maxAge?: number;
-  expires?: Date;
-  domain?: string;
-  path?: string;
-  httpOnly?: boolean;
-  secure?: boolean;
-  sameSite?: "strict" | "lax" | "none";
+  readonly maxAge?: number;
+  readonly expires?: Date;
+  readonly domain?: string;
+  readonly path?: string;
+  readonly httpOnly?: boolean;
+  readonly secure?: boolean;
+  readonly sameSite?: "strict" | "lax" | "none";
 };
 
 export type Cookie = {
-  value: string;
-  options: CookieOptions;
+  readonly value: string;
+  readonly options: CookieOptions;
 };
 
 export type Config = {
-  readonly dateNow?: () => Date;
-  readonly sessionExpiresIn?: number;
-  readonly tokenExpiresIn?: number;
+  readonly nowEpochMs?: () => number;
+  readonly sessionExpiresInMs?: number;
+  readonly tokenExpiresInMs?: number;
 };
 
 type Credential = {
@@ -26,10 +26,10 @@ type Credential = {
 };
 
 export type SessionData = {
-  readonly sessionExp: Date;
+  readonly sessionExpEpochMs: number;
+  readonly tokenExpEpochMs: number;
   readonly token1Hash: string;
   readonly token2Hash: string | null;
-  readonly tokenExp: Date;
 };
 
 export type DeleteSessionAction = {

index.js

@@ -54,13 +54,13 @@ export async function login(arg) {
   const token = generate256BitEntropyHex();
   const tokenHash = await hash(token);
 
-  const now = arg?.config?.dateNow?.() ?? new Date();
+  const nowEpochMs = arg?.config?.nowEpochMs?.() ?? Date.now();
 
-  const sessionExpiresIn = arg?.config?.sessionExpiresIn ?? defaultSessionExpiresIn;
-  const sessionExp = new Date(now.getTime() + sessionExpiresIn);
+  const sessionExpiresInMs = arg?.config?.sessionExpiresInMs ?? defaultSessionExpiresIn;
+  const sessionExpEpochMs = nowEpochMs + sessionExpiresInMs;
 
-  const tokenExpiresIn = arg?.config?.tokenExpiresIn ?? defaultTokenExpiresIn;
-  const tokenExp = new Date(now.getTime() + tokenExpiresIn);
+  const tokenExpiresInMs = arg?.config?.tokenExpiresInMs ?? defaultTokenExpiresIn;
+  const tokenExpEpochMs = nowEpochMs + tokenExpiresInMs;
 
   /** @type {import("./index").Cookie} */
   const cookie = {
@@ -69,7 +69,7 @@ export async function login(arg) {
       httpOnly: true,
       sameSite: "strict",
       secure: true,
-      expires: sessionExp,
+      expires: new Date(sessionExpEpochMs),
     },
   };
 
@@ -82,8 +82,8 @@ export async function login(arg) {
       sessionData: {
         token1Hash: tokenHash,
         token2Hash: null,
-        sessionExp: sessionExp,
-        tokenExp: tokenExp,
+        sessionExpEpochMs,
+        tokenExpEpochMs,
       },
     },
   };
@@ -141,9 +141,9 @@ export async function consume(arg) {
     };
   }
 
-  const now = arg.config?.dateNow?.() ?? new Date();
+  const nowEpochMs = arg.config?.nowEpochMs?.() ?? Date.now();
 
-  const isSessionExpired = arg.sessionData.sessionExp.getTime() <= now.getTime();
+  const isSessionExpired = arg.sessionData.sessionExpEpochMs <= nowEpochMs;
   if (isSessionExpired) {
     return {
       state: "Expired",
@@ -162,16 +162,16 @@ export async function consume(arg) {
     return { state: "Active" };
   }
 
-  const isTokenExpired = arg.sessionData.tokenExp.getTime() <= now.getTime();
+  const isTokenExpired = arg.sessionData.tokenExpEpochMs <= nowEpochMs;
   if (isTokenExpired) {
     const nextToken = generate256BitEntropyHex();
     const nextTokenHash = await hash(nextToken);
 
-    const sessionExpiresIn = arg.config?.sessionExpiresIn ?? defaultSessionExpiresIn;
-    const nextSessionExp = new Date(now.getTime() + sessionExpiresIn);
+    const sessionExpiresInMs = arg.config?.sessionExpiresInMs ?? defaultSessionExpiresIn;
+    const nextSessionExpEpochMs = nowEpochMs + sessionExpiresInMs;
 
-    const tokenExpiresIn = arg.config?.tokenExpiresIn ?? defaultTokenExpiresIn;
-    const nextTokenExp = new Date(now.getTime() + tokenExpiresIn);
+    const tokenExpiresInMs = arg.config?.tokenExpiresInMs ?? defaultTokenExpiresIn;
+    const nextTokenExpEpochMs = nowEpochMs + tokenExpiresInMs;
 
     /** @type {import("./index").Cookie} */
     const cookie = {
@@ -181,7 +181,7 @@ export async function consume(arg) {
         sameSite: "strict",
         path: "/",
         secure: true,
-        expires: nextSessionExp,
+        expires: new Date(nextSessionExpEpochMs),
       },
     };
 
@@ -195,8 +195,8 @@ export async function consume(arg) {
         sessionData: {
           token1Hash: nextTokenHash,
           token2Hash: arg.sessionData.token1Hash,
-          sessionExp: nextSessionExp,
-          tokenExp: nextTokenExp,
+          sessionExpEpochMs: nextSessionExpEpochMs,
+          tokenExpEpochMs: nextTokenExpEpochMs,
         },
       },
     };
@@ -215,8 +215,8 @@ export async function consume(arg) {
         sessionData: {
           token1Hash: arg.sessionData.token1Hash,
           token2Hash: null,
-          sessionExp: arg.sessionData.sessionExp,
-          tokenExp: arg.sessionData.tokenExp,
+          sessionExpEpochMs: arg.sessionData.sessionExpEpochMs,
+          tokenExpEpochMs: arg.sessionData.tokenExpEpochMs,
         },
       },
     };