Refactor client expiration check to use ISessionInternalInfo

Move client expiration data (clientExpiresAt) into ISessionInternalInfo
so it flows through SessionInfoManager.get() → validateCurrentSession()
→ silentlyAuthenticate(), eliminating the need for a separate
isClientExpired method, constructor changes, and extra mock plumbing
in ClientAuthentication.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: timgent

packages/browser/src/ClientAuthentication.spec.ts

@@ -92,20 +92,17 @@ describe("ClientAuthentication", () => {
     logoutHandler: mockLogoutHandler(defaultMockStorage),
     sessionInfoManager: mockSessionInfoManager(defaultMockStorage),
     issuerConfigFetcher: mockDefaultIssuerConfigFetcher(),
-    storage: defaultMockStorage,
   };
 
   function getClientAuthentication(
     mocks: Partial<typeof defaultMocks> = defaultMocks,
   ): ClientAuthentication {
-    const storage = mocks.storage ?? defaultMocks.storage;
     return new ClientAuthentication(
       mocks.loginHandler ?? defaultMocks.loginHandler,
       mocks.redirectHandler ?? defaultMocks.redirectHandler,
       mocks.logoutHandler ?? defaultMocks.logoutHandler,
       mocks.sessionInfoManager ?? defaultMocks.sessionInfoManager,
       mocks.issuerConfigFetcher ?? defaultMocks.issuerConfigFetcher,
-      storage,
     );
   }
 
@@ -605,128 +602,36 @@ describe("ClientAuthentication", () => {
     });
   });
 
-  describe("isClientExpired", () => {
-    it("returns true when a confidential client has an expired timestamp", async () => {
-      const sessionId = "mySession";
-      const expiredTimestamp = Math.floor(Date.now() / 1000) - 1000; // 1000 seconds ago
-      const mockedStorage = new StorageUtility(
-        mockStorage({
-          [`${USER_SESSION_PREFIX}:${sessionId}`]: {
-            isLoggedIn: "true",
-          },
-        }),
-        mockStorage({
-          [`${USER_SESSION_PREFIX}:${sessionId}`]: {
-            clientId: "some-client-id",
-            clientSecret: "some-secret",
-            expiresAt: String(expiredTimestamp),
-          },
-        }),
-      );
-      const clientAuthn = getClientAuthentication({
-        sessionInfoManager: mockSessionInfoManager(mockedStorage),
-        storage: mockedStorage,
-      });
-
-      await expect(clientAuthn.isClientExpired(sessionId)).resolves.toBe(true);
-    });
-
-    it("returns false when a confidential client has a valid timestamp", async () => {
-      const sessionId = "mySession";
-      const futureTimestamp = Math.floor(Date.now() / 1000) + 10000; // 10000 seconds in future
-      const mockedStorage = new StorageUtility(
-        mockStorage({
-          [`${USER_SESSION_PREFIX}:${sessionId}`]: {
-            isLoggedIn: "true",
-          },
-        }),
-        mockStorage({
-          [`${USER_SESSION_PREFIX}:${sessionId}`]: {
-            clientId: "some-client-id",
-            clientSecret: "some-secret",
-            expiresAt: String(futureTimestamp),
-          },
-        }),
-      );
-      const clientAuthn = getClientAuthentication({
-        sessionInfoManager: mockSessionInfoManager(mockedStorage),
-        storage: mockedStorage,
-      });
-
-      await expect(clientAuthn.isClientExpired(sessionId)).resolves.toBe(false);
-    });
-
-    it("returns false when a confidential client never expires (expiresAt = 0)", async () => {
+  describe("validateCurrentSession", () => {
+    it("returns clientExpiresAt when expiresAt is in storage", async () => {
       const sessionId = "mySession";
+      const expiresAt = Math.floor(Date.now() / 1000) + 10000;
       const mockedStorage = new StorageUtility(
         mockStorage({
           [`${USER_SESSION_PREFIX}:${sessionId}`]: {
             isLoggedIn: "true",
+            webId: "https://my.pod/profile#me",
           },
         }),
         mockStorage({
           [`${USER_SESSION_PREFIX}:${sessionId}`]: {
-            clientId: "some-client-id",
+            clientId: "https://some.app/registration",
             clientSecret: "some-secret",
-            expiresAt: "0",
-          },
-        }),
-      );
-      const clientAuthn = getClientAuthentication({
-        sessionInfoManager: mockSessionInfoManager(mockedStorage),
-        storage: mockedStorage,
-      });
-
-      await expect(clientAuthn.isClientExpired(sessionId)).resolves.toBe(false);
-    });
-
-    it("returns false for public clients (no secret) regardless of expiration", async () => {
-      const sessionId = "mySession";
-      const expiredTimestamp = Math.floor(Date.now() / 1000) - 1000;
-      const mockedStorage = new StorageUtility(
-        mockStorage({
-          [`${USER_SESSION_PREFIX}:${sessionId}`]: {
-            isLoggedIn: "true",
-          },
-        }),
-        mockStorage({
-          [`${USER_SESSION_PREFIX}:${sessionId}`]: {
-            clientId: "some-client-id",
-            // No clientSecret - public client
-            expiresAt: String(expiredTimestamp),
+            issuer: "https://some.issuer",
+            expiresAt: String(expiresAt),
           },
         }),
       );
       const clientAuthn = getClientAuthentication({
         sessionInfoManager: mockSessionInfoManager(mockedStorage),
-        storage: mockedStorage,
       });
 
-      await expect(clientAuthn.isClientExpired(sessionId)).resolves.toBe(false);
-    });
-
-    it("returns true for legacy clients with missing expiresAt (confidential)", async () => {
-      const sessionId = "mySession";
-      const mockedStorage = new StorageUtility(
-        mockStorage({
-          [`${USER_SESSION_PREFIX}:${sessionId}`]: {
-            isLoggedIn: "true",
-          },
-        }),
-        mockStorage({
-          [`${USER_SESSION_PREFIX}:${sessionId}`]: {
-            clientId: "some-client-id",
-            clientSecret: "some-secret",
-            // No expiresAt - legacy case
-          },
+      const result = await clientAuthn.validateCurrentSession(sessionId);
+      expect(result).toStrictEqual(
+        expect.objectContaining({
+          clientExpiresAt: expiresAt,
         }),
       );
-      const clientAuthn = getClientAuthentication({
-        sessionInfoManager: mockSessionInfoManager(mockedStorage),
-        storage: mockedStorage,
-      });
-
-      await expect(clientAuthn.isClientExpired(sessionId)).resolves.toBe(true);
     });
   });
 });

packages/browser/src/ClientAuthentication.ts

@@ -28,12 +28,6 @@ import type {
   ISessionInfo,
   ISessionInternalInfo,
   ILoginOptions,
-  IStorageUtility,
-  ILoginHandler,
-  IIncomingRedirectHandler,
-  ILogoutHandler,
-  ISessionInfoManager,
-  IIssuerConfigFetcher,
 } from "@inrupt/solid-client-authn-core";
 import {
   EVENTS,
@@ -48,23 +42,6 @@ import type { EventEmitter } from "events";
  * @hidden
  */
 export default class ClientAuthentication extends ClientAuthenticationBase {
-  constructor(
-    loginHandler: ILoginHandler,
-    redirectHandler: IIncomingRedirectHandler,
-    logoutHandler: ILogoutHandler,
-    sessionInfoManager: ISessionInfoManager,
-    issuerConfigFetcher: IIssuerConfigFetcher,
-    protected storageUtility: IStorageUtility,
-  ) {
-    super(
-      loginHandler,
-      redirectHandler,
-      logoutHandler,
-      sessionInfoManager,
-      issuerConfigFetcher,
-    );
-  }
-
   // Define these functions as properties so that they don't get accidentally re-bound.
   // Isn't Javascript fun?
   login = async (
@@ -118,38 +95,6 @@ export default class ClientAuthentication extends ClientAuthenticationBase {
     return sessionInfo;
   };
 
-  /**
-   * Checks if the stored client registration has expired.
-   * Returns true if the client is a confidential client (has a secret) and has expired.
-   * Returns false for public clients or clients that haven't expired.
-   */
-  isClientExpired = async (sessionId: string): Promise<boolean> => {
-    const [clientSecret, expiresAt] = await Promise.all([
-      this.storageUtility.getForUser(sessionId, "clientSecret", {
-        secure: false,
-      }),
-      this.storageUtility.getForUser(sessionId, "expiresAt", { secure: false }),
-    ]);
-
-    // Expiration only applies to confidential clients (those with secrets)
-    if (clientSecret === undefined) {
-      return false;
-    }
-
-    // -1 identifies legacy cases when a value should have been stored but wasn't
-    // Treat as expired
-    const expirationDate =
-      expiresAt !== undefined ? Number.parseInt(expiresAt, 10) : -1;
-
-    // expirationDate === 0 means the client registration never expires
-    if (expirationDate === 0) {
-      return false;
-    }
-
-    // Check if current time (in seconds) is past the expiration date
-    return Math.floor(Date.now() / 1000) > expirationDate;
-  };
-
   handleIncomingRedirect = async (
     url: string,
     eventEmitter: EventEmitter,

packages/browser/src/Session.spec.ts

@@ -458,21 +458,17 @@ describe("Session", () => {
         .mockReturnValueOnce(
           incomingRedirectPromise,
         ) as typeof clientAuthentication.handleIncomingRedirect;
-      const validateCurrentSessionPromise = Promise.resolve(
-        "https://some.issuer/",
-      );
+      const validateCurrentSessionPromise = Promise.resolve({
+        issuer: "https://some.issuer/",
+        clientAppId: "some client ID",
+        redirectUrl: "https://some.redirect/url",
+        tokenType: "DPoP",
+      });
       clientAuthentication.validateCurrentSession = jest
         .fn()
         .mockReturnValue(
           validateCurrentSessionPromise,
         ) as typeof clientAuthentication.validateCurrentSession;
-      // Mock isClientExpired to return false (not expired)
-      const isClientExpiredPromise = Promise.resolve(false);
-      clientAuthentication.isClientExpired = jest
-        .fn()
-        .mockReturnValue(
-          isClientExpiredPromise,
-        ) as typeof clientAuthentication.isClientExpired;
 
       const mySession = new Session({ clientAuthentication });
       // eslint-disable-next-line no-void
@@ -482,7 +478,6 @@ describe("Session", () => {
       });
       await incomingRedirectPromise;
       await validateCurrentSessionPromise;
-      await isClientExpiredPromise;
       expect(window.localStorage.getItem(KEY_CURRENT_URL)).toBe(
         "https://mock.current/location",
       );
@@ -544,6 +539,7 @@ describe("Session", () => {
         issuer: "https://some.issuer",
         clientAppId: "some client ID",
         clientAppSecret: "some client secret",
+        clientExpiresAt: Math.floor(Date.now() / 1000) + 10000,
         redirectUrl: "https://some.redirect/url",
         tokenType: "DPoP",
       });
@@ -552,13 +548,6 @@ describe("Session", () => {
         .mockReturnValue(
           validateCurrentSessionPromise,
         ) as typeof clientAuthentication.validateCurrentSession;
-      // Mock isClientExpired to return false (not expired)
-      const isClientExpiredPromise = Promise.resolve(false);
-      clientAuthentication.isClientExpired = jest
-        .fn()
-        .mockReturnValue(
-          isClientExpiredPromise,
-        ) as typeof clientAuthentication.isClientExpired;
       const incomingRedirectPromise = Promise.resolve();
       clientAuthentication.handleIncomingRedirect = jest
         .fn()
@@ -575,7 +564,6 @@ describe("Session", () => {
       });
       await incomingRedirectPromise;
       await validateCurrentSessionPromise;
-      await isClientExpiredPromise;
       expect(clientAuthentication.login).toHaveBeenCalledWith(
         {
           sessionId: "mySession",
@@ -796,11 +784,12 @@ describe("Session", () => {
         sessionInfoManager: mockSessionInfoManager(mockedStorage),
       });
 
-      // Mock validateCurrentSession to return valid session info
+      // Mock validateCurrentSession to return session info with an expired client
       const validateCurrentSessionPromise = Promise.resolve({
         issuer: "https://some.issuer",
         clientAppId: "some client ID",
         clientAppSecret: "some client secret",
+        clientExpiresAt: Math.floor(Date.now() / 1000) - 1000,
         redirectUrl: "https://some.redirect/url",
         tokenType: "DPoP",
       });
@@ -810,11 +799,6 @@ describe("Session", () => {
           validateCurrentSessionPromise,
         ) as typeof clientAuthentication.validateCurrentSession;
 
-      // Mock isClientExpired to return true (expired client)
-      clientAuthentication.isClientExpired = (
-        jest.fn() as any
-      ).mockResolvedValue(true);
-
       const incomingRedirectPromise = Promise.resolve();
       clientAuthentication.handleIncomingRedirect = jest
         .fn()
@@ -864,13 +848,10 @@ describe("Session", () => {
         issuer: "https://some.issuer",
         clientAppId: "some client ID",
         clientAppSecret: "some client secret",
+        clientExpiresAt: Math.floor(Date.now() / 1000) - 1000,
         redirectUrl: "https://some.redirect/url",
       });
 
-      clientAuthentication.isClientExpired = (
-        jest.fn() as any
-      ).mockResolvedValue(true);
-
       clientAuthentication.handleIncomingRedirect = (
         jest.fn() as any
       ).mockResolvedValue(undefined);

packages/browser/src/Session.ts

@@ -86,12 +86,16 @@ export async function silentlyAuthenticate(
 ): Promise<boolean> {
   const storedSessionInfo = await clientAuthn.validateCurrentSession(sessionId);
   if (storedSessionInfo !== null) {
-    // Check if the client registration has expired before attempting silent auth
-    const clientExpired = await clientAuthn.isClientExpired(sessionId);
-    if (clientExpired) {
-      // Clear the stored session to prevent retry loops
-      window.localStorage.removeItem(KEY_CURRENT_SESSION);
-      return false;
+    // Check if the client registration has expired before attempting silent auth.
+    // Expiration only applies to confidential clients (those with a secret).
+    // clientExpiresAt === 0 means the registration never expires.
+    // clientExpiresAt === undefined with a secret means legacy data — treat as expired.
+    if (storedSessionInfo.clientAppSecret !== undefined) {
+      const expiresAt = storedSessionInfo.clientExpiresAt ?? -1;
+      if (expiresAt !== 0 && Math.floor(Date.now() / 1000) > expiresAt) {
+        window.localStorage.removeItem(KEY_CURRENT_SESSION);
+        return false;
+      }
     }
 
     // It can be really useful to save the user's current browser location,

packages/browser/src/__mocks__/ClientAuthentication.ts

@@ -19,7 +19,6 @@
 // SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 //
 
-import { jest } from "@jest/globals";
 import type {
   IIssuerConfigFetcher,
   ILoginHandler,
@@ -52,16 +51,11 @@ export const mockClientAuthentication = (
   mocks?: Partial<ClientAuthnDependencies>,
 ): ClientAuthentication => {
   const storage = mocks?.storage ?? mockStorageUtility({});
-  const clientAuthn = new ClientAuthentication(
+  return new ClientAuthentication(
     mocks?.loginhandler ?? mockLoginHandler(),
     mocks?.redirectHandler ?? mockIncomingRedirectHandler(),
     mocks?.logoutHandler ?? mockLogoutHandler(storage),
     mocks?.sessionInfoManager ?? mockSessionInfoManager(storage),
     mocks?.issuerConfigFetcher ?? IssuerConfigFetcherMock,
-    storage,
   );
-  // Add default mock for isClientExpired
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  clientAuthn.isClientExpired = (jest.fn() as any).mockResolvedValue(false);
-  return clientAuthn;
 };

packages/browser/src/dependencies.ts

@@ -105,6 +105,5 @@ export function getClientAuthenticationWithDependencies(dependencies: {
     new IWaterfallLogoutHandler(sessionInfoManager, redirector),
     sessionInfoManager,
     issuerConfigFetcher,
-    storageUtility,
   );
 }