pingdotgg · juliusmarminge · Apr 8, 2026 · Apr 8, 2026
diff --git a/apps/server/src/auth/Layers/SessionCredentialService.test.ts b/apps/server/src/auth/Layers/SessionCredentialService.test.ts
@@ -1,6 +1,6 @@
 import * as NodeServices from "@effect/platform-node/NodeServices";
 import { expect, it } from "@effect/vitest";
-import { Effect, Layer } from "effect";
+import { Duration, Effect, Layer } from "effect";
 import { TestClock } from "effect/testing";
 
 import type { ServerConfigShape } from "../../config.ts";
@@ -82,6 +82,23 @@ it.layer(NodeServices.layer)("SessionCredentialServiceLive", (it) => {
     }).pipe(Effect.provide(Layer.merge(makeSessionCredentialLayer(), TestClock.layer()))),
   );
 
+  it.effect("rejects websocket tokens once the parent session has expired", () =>
+    Effect.gen(function* () {
+      const sessions = yield* SessionCredentialService;
+      const issued = yield* sessions.issue({
+        method: "bearer-session-token",
+        subject: "short-lived",
+        ttl: Duration.seconds(1),
+      });
+      const websocket = yield* sessions.issueWebSocketToken(issued.sessionId);
+
+      yield* TestClock.adjust(Duration.seconds(2));
+
+      const error = yield* Effect.flip(sessions.verifyWebSocketToken(websocket.token));
+      expect(error.message).toContain("expired");
+    }).pipe(Effect.provide(Layer.merge(makeSessionCredentialLayer(), TestClock.layer()))),
+  );
+
   it.effect("lists active sessions, tracks connectivity, and revokes other sessions", () =>
     Effect.gen(function* () {
       const sessions = yield* SessionCredentialService;

diff --git a/apps/server/src/auth/Layers/SessionCredentialService.ts b/apps/server/src/auth/Layers/SessionCredentialService.ts
@@ -358,6 +358,11 @@ export const makeSessionCredentialService = Effect.gen(function* () {
           message: "Unknown websocket session.",
         });
       }
+      if (row.value.expiresAt.epochMilliseconds <= now) {
+        return yield* new SessionCredentialError({
+          message: "Websocket session expired.",
+        });
+      }
       if (row.value.revokedAt !== null) {
         return yield* new SessionCredentialError({
           message: "Websocket session revoked.",