fix: configurable JWT TTL with working refresh endpoint (#800)#801
Merged
fix: configurable JWT TTL with working refresh endpoint (#800)#801
Conversation
Replace the hardcoded 24h JWT expiration with configurable TTL (default 30d) resolvable via JWT_EXPIRES_IN env var (ceiling) or admin Settings → Security UI. Rewrite /auth/refresh to accept valid-or-recently-expired tokens within a configurable grace window (default 7d), re-verifying the HS256 signature via Web Crypto (since hono/jwt checks exp before signature) and re-validating the user against the database before issuing a fresh token. Updates every token-minting call site (auth routes, OTP plugin, magic-link plugin, OAuth providers) to read the TTL from the DB-aware helper. Adds a live Session / JWT card to Admin → Settings → Security with save/load and matching persistence via SettingsService. Updates repo docs and the doc site authentication page to describe the new configuration surface and refresh semantics. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Restore "Authentication required" as the error message when /auth/refresh is called without a token, matching the prior behavior the E2E contract expects. - Update the cookie E2E to assert Max-Age is present (any positive value) instead of the old hardcoded 86400, since JWT TTL is now configurable. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
JWT_EXPIRES_INenv var or Admin → Settings → Security UI. Env var acts as a ceiling./auth/refreshto accept valid or recently-expired tokens within a configurable grace window (default 7d). Re-verifies HS256 via Web Crypto (hono/jwt checksexpbefore signature) and re-validates the user in the DB before issuing a new token.Fixes #800.
Changes
packages/core/src/middleware/auth.ts—parseDuration,getJwtExpirySeconds,getJwtExpirySecondsFromDb,getJwtRefreshGraceSecondsFromDb, manual HS256 verify helper, grace-window support inverifyToken, configurable TTL ingenerateToken/setAuthCookie.packages/core/src/routes/auth.ts— removed hardcoded 24h TTLs, rewrotePOST /auth/refreshwith rate limit + grace window + DB re-validation, madesetCsrfCookieDB-aware.packages/core/src/app.ts— addedJWT_EXPIRES_INandJWT_REFRESH_GRACE_SECONDSbindings.packages/core/src/middleware/index.ts— exported new helpers.packages/core/src/plugins/core-plugins/otp-login-plugin/index.ts,plugins/available/magic-link-auth/index.ts,plugins/core-plugins/oauth-providers/index.ts— switched to DB-aware TTL helper.packages/core/src/services/settings.ts—SecuritySettingsinterface,getSecuritySettings/saveSecuritySettings.packages/core/src/routes/admin-settings.ts— load persisted security settings, added validatedPOST /admin/settings/security.packages/core/src/templates/pages/admin-settings.template.ts— live Session / JWT card with TTL + grace inputs, newsaveSecuritySettings()client handler.packages/core/src/__tests__/middleware/auth.test.ts— 8 new tests covering custom TTL, default TTL, grace accept/reject, bad-sig rejection within grace, andgetJwtExpirySecondsduration parsing.docs/authentication.md,packages/core/src/plugins/core-plugins/otp-login-plugin/README.md,www/src/app/authentication/page.mdx— documentation updates.Testing
npm run type-checkcleanChecklist
🤖 Generated with Claude Code