search

medusajs / medusa

The world's most flexible commerce platform.
https://medusajs.com
MIT License
26.26k stars 2.67k forks source link

[Bug]: Invite JWT Does Not Expire After 24 Hours as Expected #10342

Closed patidar closed 5 days ago

patidar commented 5 days ago

Package.json file

{
  "name": "medusa-starter-default",
  "version": "0.0.1",
  "description": "A starter for Medusa projects.",
  "author": "Medusa (https://medusajs.com)",
  "license": "MIT",
  "keywords": [
    "sqlite",
    "postgres",
    "typescript",
    "ecommerce",
    "headless",
    "medusa"
  ],
  "scripts": {
    "build": "medusa build",
    "seed": "medusa exec ./src/scripts/seed.ts",
    "start": "medusa start",
    "dev": "medusa develop",
    "test:integration:http": "TEST_TYPE=integration:http NODE_OPTIONS=--experimental-vm-modules jest --silent=false --runInBand --forceExit",
    "test:integration:modules": "TEST_TYPE=integration:modules NODE_OPTIONS=--experimental-vm-modules jest --silent --runInBand --forceExit",
    "test:unit": "TEST_TYPE=unit NODE_OPTIONS=--experimental-vm-modules jest --silent --runInBand --forceExit"
  },
  "dependencies": {
    "@medusajs/admin-sdk": "latest",
    "@medusajs/cli": "latest",
    "@medusajs/framework": "latest",
    "@medusajs/medusa": "latest",
    "@mikro-orm/core": "5.9.7",
    "@mikro-orm/knex": "5.9.7",
    "@mikro-orm/migrations": "5.9.7",
    "@mikro-orm/postgresql": "5.9.7",
    "awilix": "^8.0.1",
    "pg": "^8.13.0"
  },
  "devDependencies": {
    "@medusajs/test-utils": "latest",
    "@mikro-orm/cli": "5.9.7",
    "@swc/core": "1.5.7",
    "@swc/jest": "^0.2.36",
    "@types/jest": "^29.5.13",
    "@types/node": "^20.0.0",
    "@types/react": "^18.3.2",
    "@types/react-dom": "^18.2.25",
    "jest": "^29.7.0",
    "prop-types": "^15.8.1",
    "react": "^18.2.0",
    "react-dom": "^18.2.0",
    "ts-node": "^10.9.2",
    "typescript": "^5.6.2",
    "vite": "^5.2.11"
  },
  "engines": {
    "node": ">=20"
  }
}

Node.js version

v22.11.0

Database and its version

PostgresSQL 17

Operating system name and version

Windows 11 23H2

Browser name

Chrome

What happended?

The invite JWT is not expiring after 24 hours as expected, based on the expires_at column in the table. This issue occurs because the DEFAULT_VALID_INVITE_DURATION constant is currently defined in milliseconds (60 60 24 * 1000), while the expiresIn field in the jsonwebtoken library expects a value in seconds when passed as a numeric value, or in milliseconds when passed as a string. This mismatch leads to an incorrect expiration calculation.

Steps to Reproduce:

Invite a user.
Retrieve the invite token from the database or URL.
Decode the JWT and check the expiration time.

Reference:

For more information, see the jsonwebtoken documentation on expiresIn under options at : https://github.com/auth0/node-jsonwebtoken#jwtsignpayload-secretorprivatekey-options-callback

Expected behavior

The invite JWT should expire in 24 hours after being issued.

Actual behavior

The invite JWT is not expiring after 24 hours, instead it expires in 24000 hours

Link to reproduction repo

https://github.com/medusajs/medusa.git

sradevski commented 5 days ago

Thanks for the report, I'll have this fixed now

patidar commented 5 days ago

I appreciate that. If it helps I summited a pull request to fix the issue by converting the expiresIn value to a string with String(this.config.expiresIn). Thanks again 🙏