fix: fix broken timezone mismatch detection in session tracking

geo.timezone from geoip-lite is an IANA string (e.g. "America/New_York"),
not a numeric offset. parseInt() on it always returns NaN, making the
comparison always false — the timezone mismatch security flag never fires.

Convert the IANA timezone to a minute offset using toLocaleString() with
the timeZone option, then compare against the browser-reported offset.
Wrap in try/catch for invalid IANA timezone strings.

Author: ashsolei

api/track-session.js

@@ -249,14 +249,21 @@ export default async function handler(req, res) {
 
     // Geo anomaly (if timezone doesn't match)
     if (metadata.timezone && geo?.timezone) {
-      const tzOffset = new Date().getTimezoneOffset();
-      const geoOffset = parseInt(geo.timezone);
-      if (Math.abs(tzOffset + geoOffset * 60) > 120) { // More than 2 hours difference
-        securityFlags.push({
-          type: 'timezone_mismatch',
-          severity: 'low',
-          detail: `Browser timezone doesn't match IP location`
-        });
+      try {
+        // geo.timezone is an IANA string (e.g. "America/New_York"), not a numeric offset
+        const now = new Date();
+        const geoOffsetMs = now.getTime() - new Date(now.toLocaleString('en-US', { timeZone: geo.timezone })).getTime();
+        const geoOffsetMin = Math.round(geoOffsetMs / 60000);
+        const browserOffset = typeof metadata.timezone === 'number' ? metadata.timezone : now.getTimezoneOffset();
+        if (Math.abs(geoOffsetMin - browserOffset) > 120) { // More than 2 hours difference
+          securityFlags.push({
+            type: 'timezone_mismatch',
+            severity: 'low',
+            detail: `Browser timezone doesn't match IP location`
+          });
+        }
+      } catch {
+        // Invalid IANA timezone — skip check
       }
     }