feature/refactor: smartfeeds to reduce the client complexity

public/api/auth/index.ts

@@ -162,7 +162,7 @@ export type SESSION_INFO = {
 
 // DELETE /api/auth - log out (delete session)
 PRECHECKS.DELETE = [get_session, get_user, require_user];
-const back_then = new Date(0).toISOString();
+const back_then = new Date(0).toUTCString();
 export async function DELETE(_request: Request, meta: Record<string, any>): Promise<Response> {
 	await SESSIONS.delete(meta.session);
 
@@ -186,7 +186,7 @@ const session_secret_buffer = new Uint8Array(20);
 export async function create_new_session(session_settings: SESSION_INFO): Promise<SESSION_RESULT> {
 	const now = new Date().toISOString();
 	const expires: string = session_settings.expires ??
-		new Date(new Date(now).valueOf() + DEFAULT_SESSION_TIME).toUTCString();
+		new Date(new Date(now).valueOf() + DEFAULT_SESSION_TIME).toISOString();
 
 	crypto.getRandomValues(session_secret_buffer);
 
@@ -205,12 +205,13 @@ export async function create_new_session(session_settings: SESSION_INFO): Promis
 
 	const headers = new Headers();
 
-	headers.append('Set-Cookie', `${SESSION_ID_TOKEN}=${session.id}; Path=/; Expires=${expires}`);
+	const expires_in_utc = new Date(session.timestamps.expires).toUTCString();
+	headers.append('Set-Cookie', `${SESSION_ID_TOKEN}=${session.id}; Path=/; Secure; Expires=${expires_in_utc}`);
 	headers.append(`x-${SESSION_ID_TOKEN}`, session.id);
 
 	// TODO: this wasn't really intended to be persisted in a cookie, but we are using it to
 	// generate the TOTP for the call to /api/users/me
-	headers.append('Set-Cookie', `${SESSION_SECRET_TOKEN}=${session.secret}; Path=/; Expires=${expires}`);
+	headers.append('Set-Cookie', `${SESSION_SECRET_TOKEN}=${session.secret}; Path=/; Secure; Expires=${expires_in_utc}`);
 
 	return {
 		session,