Add session data to Call type

- AuthService.validateRequest now returns AuthResult with both user and session
- Call type includes session: SessionData | null
- Handlers can access session metadata (createdAt, authMethod, etc.)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

express/auth/index.ts

@@ -7,7 +7,7 @@
 // Import authRoutes directly from "./auth/routes" instead.
 
 export { hashPassword, verifyPassword } from "./password";
-export { AuthService } from "./service";
+export { AuthService, type AuthResult } from "./service";
 export { type AuthStore, InMemoryAuthStore } from "./store";
 export { generateToken, hashToken, SESSION_COOKIE_NAME } from "./token";
 export * from "./types";

express/auth/service.ts

@@ -12,7 +12,7 @@ import {
     parseAuthorizationHeader,
     SESSION_COOKIE_NAME,
 } from "./token";
-import { type TokenId, tokenLifetimes } from "./types";
+import { type SessionData, type TokenId, tokenLifetimes } from "./types";
 
 type LoginResult =
     | { success: true; token: string; user: User }
@@ -24,6 +24,11 @@ type RegisterResult =
 
 type SimpleResult = { success: true } | { success: false; error: string };
 
+// Result of validating a request/token - contains both user and session
+export type AuthResult =
+    | { authenticated: true; user: User; session: SessionData }
+    | { authenticated: false; user: typeof AnonymousUser; session: null };
+
 export class AuthService {
     constructor(private store: AuthStore) {}
 
@@ -68,7 +73,7 @@ export class AuthService {
 
     // === Session Validation ===
 
-    async validateRequest(request: ExpressRequest): Promise<MaybeUser> {
+    async validateRequest(request: ExpressRequest): Promise<AuthResult> {
         // Try cookie first (for web requests)
         let token = this.extractCookieToken(request);
 
@@ -78,33 +83,33 @@ export class AuthService {
         }
 
         if (!token) {
-            return AnonymousUser;
+            return { authenticated: false, user: AnonymousUser, session: null };
         }
 
         return this.validateToken(token);
     }
 
-    async validateToken(token: string): Promise<MaybeUser> {
+    async validateToken(token: string): Promise<AuthResult> {
         const tokenId = hashToken(token) as TokenId;
         const session = await this.store.getSession(tokenId);
 
         if (!session) {
-            return AnonymousUser;
+            return { authenticated: false, user: AnonymousUser, session: null };
         }
 
         if (session.tokenType !== "session") {
-            return AnonymousUser;
+            return { authenticated: false, user: AnonymousUser, session: null };
         }
 
         const user = await this.store.getUserById(session.userId as UserId);
         if (!user || !user.isActive()) {
-            return AnonymousUser;
+            return { authenticated: false, user: AnonymousUser, session: null };
         }
 
         // Update last used (fire and forget)
         this.store.updateLastUsed(tokenId).catch(() => {});
 
-        return user;
+        return { authenticated: true, user, session };
     }
 
     private extractCookieToken(request: ExpressRequest): string | null {