The BFF trust boundary

How auth actually works, prose bound to the server code: the global guard, the httpOnly cookie session, and the authed client that refreshes on 401.

src/lib/server/session.ts26 lines · setSessionCookies L12–20
Outline 6 symbolsAT_COOKIE const export
RT_COOKIE const export
REFRESH_TTL_SECONDS const export
opts function
setSessionCookies function export
clearSessionCookies function export
1import { dev } from '$app/environment';
2import type { RequestEvent } from '@sveltejs/kit';
3
4export const AT_COOKIE = 'donna_at';
5export const RT_COOKIE = 'donna_rt';
6export const REFRESH_TTL_SECONDS = 60 * 60 * 8; // mirrors lq-ai jwt_refresh_token_ttl default (8h)
7
8function opts(maxAge: number) {
9	return { httpOnly: true, secure: !dev, sameSite: 'lax' as const, path: '/', maxAge };
10}
11
12export function setSessionCookies(
13	event: RequestEvent,
14	accessToken: string,
15	refreshToken: string | undefined,
16	expiresIn: number
17) {
18	event.cookies.set(AT_COOKIE, accessToken, opts(expiresIn));
19	if (refreshToken) event.cookies.set(RT_COOKIE, refreshToken, opts(REFRESH_TTL_SECONDS));
20}
21
22export function clearSessionCookies(event: RequestEvent) {
23	event.cookies.delete(AT_COOKIE, { path: '/' });
24	event.cookies.delete(RT_COOKIE, { path: '/' });
25}
26

No results