fix(sdk): check token expiry in isAuthenticated()

[aarushisingh04]

summary

identified and fixed a bug where isAuthenticated() in storage.ts returned true for expired tokens. expired sessions were treated as valid until the next API call returned a 401 meaning that any auth-gated command would proceed assuming a valid token.

changes made

• updated isAuthenticated() in both Storage and MemoryStorage to check auth.expires_at against Date.now() returning false if the token has expired.
• added packages/sdk/src/utils/__tests__/auth-expiry.test.ts covering: valid tokens, expired tokens, the exact expiry boundary (>=), pre-set expires_at taking precedence over expires_in and both clearAuth() and clearAll() resetting authenticated state.
• also added a constructor comment to MemoryStorage warning that withComputedExpiry stamps expires_at at construction time, so tests using vi.useFakeTimers() should call setAuth() after installing fake timers rather than passing initialAuth directly.

testing

• ran npx turbo run test --filter @stripe/link-sdk (all pass).
• verified formatting and linting with biome check.

[danhill-stripe]

Good catch, thanks!

[danhill-stripe]

Actually, looking more closely. The expires_at is only when the refresh token is needed for a new access token, not when the user needs to re-authenticate.

[aarushisingh04]

@danhill-stripe oh right, checked session.ts after your comment, it's handled correctly there. thanks, and you can close the pr if no further discussion is needed.