Masked Session, access token display and usage for login status.

simonredfern · simonredfern · commit 98a7ce21c19d · 2026-03-05T23:03:31.000+01:00
diff --git a/src/routes/(protected)/user/+layout.server.ts b/src/routes/(protected)/user/+layout.server.ts
@@ -3,6 +3,27 @@ const logger = createLogger('UserPageServer');
 import type { RequestEvent } from '@sveltejs/kit';
 import { obpIntegrationService } from '$lib/opey/services/OBPIntegrationService';
 import { env } from '$env/dynamic/private';
+import { jwtDecode } from 'jwt-decode';
+import type { OAuth2AccessTokenPayload } from '$lib/oauth/types';
+
+function maskString(value: string, visibleChars = 4): string {
+	if (value.length <= visibleChars * 2) return '****';
+	return `${value.slice(0, visibleChars)}...${value.slice(-visibleChars)}`;
+}
+
+function decodeTokenTimes(token: string): { issuedAt: string | null; expiresAt: string | null; expiresInSeconds: number | null } {
+	try {
+		const payload = jwtDecode<OAuth2AccessTokenPayload>(token);
+		const now = Date.now();
+		return {
+			issuedAt: payload.iat ? new Date(payload.iat * 1000).toISOString() : null,
+			expiresAt: payload.exp ? new Date(payload.exp * 1000).toISOString() : null,
+			expiresInSeconds: payload.exp ? Math.round((payload.exp * 1000 - now) / 1000) : null,
+		};
+	} catch {
+		return { issuedAt: null, expiresAt: null, expiresInSeconds: null };
+	}
+}
 
 export async function load(event: RequestEvent) {
 	const session = event.locals.session;
@@ -43,8 +64,31 @@ export async function load(event: RequestEvent) {
 		}
 	}
 
+	// Build masked session info for the profile page
+	const oauth = session?.data?.oauth;
+	const accessToken = oauth?.access_token;
+	const refreshToken = oauth?.refresh_token;
+
+	const accessTokenTimes = accessToken ? decodeTokenTimes(accessToken) : null;
+	const refreshTokenTimes = refreshToken ? decodeTokenTimes(refreshToken) : null;
+
+	const sessionInfo = {
+		sessionId: session?.id ? maskString(session.id) : null,
+		oauthProvider: oauth?.provider || null,
+		hasAccessToken: !!accessToken,
+		accessTokenPreview: accessToken ? maskString(accessToken) : null,
+		accessTokenIssuedAt: accessTokenTimes?.issuedAt || null,
+		accessTokenExpiresAt: accessTokenTimes?.expiresAt || null,
+		accessTokenExpiresInSeconds: accessTokenTimes?.expiresInSeconds ?? null,
+		hasRefreshToken: !!refreshToken,
+		refreshTokenPreview: refreshToken ? maskString(refreshToken) : null,
+		refreshTokenExpiresAt: refreshTokenTimes?.expiresAt || null,
+		refreshTokenExpiresInSeconds: refreshTokenTimes?.expiresInSeconds ?? null,
+	};
+
 	return {
 		userData: userData || null,
-		opeyConsentInfo
+		opeyConsentInfo,
+		sessionInfo
 	};
 }
diff --git a/src/routes/(protected)/user/+page.svelte b/src/routes/(protected)/user/+page.svelte
@@ -14,6 +14,24 @@
   console.debug("USER DATA:", JSON.stringify(userData));
 
   const opeyConsentInfo = data.opeyConsentInfo || null;
+  const sessionInfo = data.sessionInfo || null;
+
+  function formatTimeRemaining(seconds: number | null): string {
+    if (seconds === null) return "Unknown";
+    if (seconds <= 0) return "Expired";
+    const hours = Math.floor(seconds / 3600);
+    const minutes = Math.floor((seconds % 3600) / 60);
+    if (hours > 0) return `${hours}h ${minutes}m`;
+    if (minutes > 0) return `${minutes}m`;
+    return `${seconds}s`;
+  }
+
+  function tokenStatusColor(seconds: number | null): string {
+    if (seconds === null) return "bg-surface-300 dark:bg-surface-600";
+    if (seconds <= 0) return "bg-error-500";
+    if (seconds < 300) return "bg-warning-500";
+    return "bg-success-500";
+  }
 
   function formatDateFromUnix(epochDateMilliseconds: number | string): string {
     console.log("Formatting date:", epochDateMilliseconds);
@@ -361,6 +379,92 @@
 <div class="flex flex-col space-y-6">
   {@render userInfo(userData)}
 
+  <!-- Session Info Section -->
+  <div class="mx-10 pr-5">
+    <header class="py-4">
+      <h1 class="h4 text-center align-middle">Session Info</h1>
+    </header>
+    {#if sessionInfo && sessionInfo.hasAccessToken}
+      <article class="border-primary-500 space-y-1 border-b-[1px] p-4">
+        {#each [
+          { label: "Session ID", value: sessionInfo.sessionId },
+          { label: "OAuth Provider", value: sessionInfo.oauthProvider },
+        ] as item}
+          <div class="hover:bg-primary-500/5 flex items-center justify-between rounded-md p-2" data-testid={`session-${item.label.toLowerCase().replace(/\s+/g, "-")}`}>
+            <strong>{item.label}</strong>
+            <span class="rounded-sm bg-gray-800/20 p-2 font-mono text-sm backdrop-blur-2xl">
+              {item.value || "N/A"}
+            </span>
+          </div>
+          <hr class="hr !my-0 opacity-20" />
+        {/each}
+
+        <!-- Access Token -->
+        <div class="hover:bg-primary-500/5 flex items-center justify-between rounded-md p-2" data-testid="session-access-token">
+          <div class="flex items-center gap-2">
+            <strong>Access Token</strong>
+            <span class="h-2.5 w-2.5 rounded-full {tokenStatusColor(sessionInfo.accessTokenExpiresInSeconds)}" title={sessionInfo.accessTokenExpiresInSeconds !== null && sessionInfo.accessTokenExpiresInSeconds <= 0 ? "Expired" : "Active"}></span>
+          </div>
+          <div class="flex items-center gap-3">
+            <span class="rounded-sm bg-gray-800/20 p-2 font-mono text-sm backdrop-blur-2xl">
+              {sessionInfo.accessTokenPreview || "N/A"}
+            </span>
+            <span class="text-xs text-surface-600 dark:text-surface-400">
+              {#if sessionInfo.accessTokenExpiresInSeconds !== null && sessionInfo.accessTokenExpiresInSeconds <= 0}
+                Expired
+              {:else}
+                {formatTimeRemaining(sessionInfo.accessTokenExpiresInSeconds)} remaining
+              {/if}
+            </span>
+          </div>
+        </div>
+        <hr class="hr !my-0 opacity-20" />
+
+        <!-- Refresh Token -->
+        <div class="hover:bg-primary-500/5 flex items-center justify-between rounded-md p-2" data-testid="session-refresh-token">
+          <div class="flex items-center gap-2">
+            <strong>Refresh Token</strong>
+            {#if sessionInfo.hasRefreshToken}
+              <span class="h-2.5 w-2.5 rounded-full {tokenStatusColor(sessionInfo.refreshTokenExpiresInSeconds)}" title={sessionInfo.refreshTokenExpiresInSeconds !== null && sessionInfo.refreshTokenExpiresInSeconds <= 0 ? "Expired" : "Active"}></span>
+            {:else}
+              <span class="h-2.5 w-2.5 rounded-full bg-error-500" title="Missing"></span>
+            {/if}
+          </div>
+          <div class="flex items-center gap-3">
+            {#if sessionInfo.hasRefreshToken}
+              <span class="rounded-sm bg-gray-800/20 p-2 font-mono text-sm backdrop-blur-2xl">
+                {sessionInfo.refreshTokenPreview}
+              </span>
+              <span class="text-xs text-surface-600 dark:text-surface-400">
+                {#if sessionInfo.refreshTokenExpiresAt === null}
+                  Expiry unknown (not a JWT)
+                {:else if sessionInfo.refreshTokenExpiresInSeconds !== null && sessionInfo.refreshTokenExpiresInSeconds <= 0}
+                  Expired
+                {:else}
+                  {formatTimeRemaining(sessionInfo.refreshTokenExpiresInSeconds)} remaining
+                {/if}
+              </span>
+            {:else}
+              <span class="text-xs text-error-600 dark:text-error-400">
+                None — session cannot auto-renew
+              </span>
+            {/if}
+          </div>
+        </div>
+        <hr class="hr !my-0 opacity-20" />
+      </article>
+    {:else}
+      <article class="border-primary-500 border-b-[1px] p-4">
+        <div class="rounded-lg bg-warning-50 p-3 dark:bg-warning-900/20" data-testid="session-warning">
+          <p class="text-sm text-warning-700 dark:text-warning-300">
+            No active session found. Your session may have expired.
+            <a href="/login" class="font-medium underline hover:text-warning-900 dark:hover:text-warning-100">Log in again</a> to restore full functionality.
+          </p>
+        </div>
+      </article>
+    {/if}
+  </div>
+
   <!-- Preferences Section -->
   <div class="mx-10 pr-5">
     <header class="flex items-center justify-between py-4">
diff --git a/src/routes/+layout.server.ts b/src/routes/+layout.server.ts
@@ -55,14 +55,15 @@ export async function load(event: RequestEvent) {
   );
 
   // Get information about the user from the session if they are logged in
+  // User is only considered logged in if they have both user data AND a valid access token
   logger.info("👤 Checking user session");
-  if (session?.data?.user) {
+  if (session?.data?.user && session?.data?.oauth?.access_token) {
     data.userId = session.data.user.user_id;
     data.email = session.data.user.email;
     data.username = session.data.user.username;
     logger.info(`✅ User session found: ${data.email}`);
   } else {
-    logger.info("ℹ️  No user session found (user not logged in)");
+    logger.info("ℹ️  No user session found (user not logged in or no access token)");
   }
 
   // Get Opey consent info if we have Opey consumer ID configured
