[codex] Reject websocket tokens after session expiry

[juliusmarminge]

What changed

• reject websocket tokens when their parent auth session has already expired
• add a clock-driven regression test covering an expired parent session with a still-valid websocket token TTL

Why

verifyWebSocketToken() validated only the websocket token claim expiry and revocation state. A websocket token could therefore outlive the underlying session row and still authenticate until its own shorter TTL elapsed.

Validation

• bun fmt
• bun lint
• bun typecheck
• cd apps/server && bun run test src/auth/Layers/SessionCredentialService.test.ts

Note

Reject websocket tokens when the parent session has expired

Previously, verifyWebSocketToken only checked if a session was revoked, not if it had expired. Now, after fetching the session row, it compares expiresAt against the current time and returns a SessionCredentialError with message 'Websocket session expired.' if the session is past its TTL. A test using TestClock advances time past a 1-second session TTL to verify the new rejection behavior.

^{Macroscope summarized c5fc3f3.}

---

Note

Medium Risk
Touches session authentication checks: websocket token verification now depends on the persisted session expiry, which could impact active websocket connections if clock/TTL handling is off. Change is small and covered by a new clock-driven regression test.

Overview
Websocket authentication now fails once the underlying session expires. verifyWebSocketToken() now checks the parent auth session row’s expiresAt against the current time and returns a SessionCredentialError when the session is expired, even if the websocket token’s own exp is still valid.

Adds a regression test using TestClock that issues a short-lived session, mints a websocket token, advances time past the session TTL, and asserts the websocket token is rejected.

^{Reviewed by Cursor Bugbot for commit c5fc3f3. Bugbot is set up for automated code reviews on this repo. Configure here.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: faba8b4e-1650-401d-921e-953b887714da

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/review-ws-session-expiry

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR modifies authentication logic in the auth directory, adding session expiry validation for websocket tokens. Regardless of the change's simplicity, modifications to auth-related code require human review to ensure the security implications are properly evaluated.

^{You can customize Macroscope's approvability policy. Learn more.}