Refresh Token Expire Date

abolix commented 1 week ago

Environment

Operating System: Linux
Node Version: v23.2.0
Nuxt Version: 3.14.159
CLI Version: 3.15.0
Nitro Version: 2.10.4
Package Manager: npm@10.9.0
Builder: -
User Config: default
Runtime Modules: @pinia/nuxt@0.5.5, @nuxt/icon@1.7.2, @nuxt/ui@2.19.2, nuxt-swiper@1.2.2, @nuxt/eslint@0.5.7, @nuxt/fonts@0.10.2, @sidebase/nuxt-auth@0.9.4
Build Modules: -

Reproduction

  auth: {
    isEnabled: true,
    globalAppMiddleware: true,
    baseURL: 'http://127.0.0.1:8000/userarea/',
    provider: {
      type: 'local',
      token: {
        signInResponseTokenPointer: '/access',
        type: 'Bearer',
        cookieName: 'auth.access',
        headerName: 'Authorization',
        maxAgeInSeconds: 60 * 3,
        sameSiteAttribute: 'lax',
        secureCookieAttribute: false,
        httpOnlyCookieAttribute: false,
      },
      endpoints: {
        signIn: { path: 'login', method: 'POST' },
        signOut: { path: 'logout', method: 'POST' },
        getSession: { path: 'user-info', method: 'GET' },
        signUp: false
      },
      refresh: {
        isEnabled:true,
        refreshOnlyToken: true,
        token: {
          signInResponseRefreshTokenPointer: '/refresh',
          refreshRequestTokenPointer: '/refresh',
          cookieName: 'auth.refresh',
          maxAgeInSeconds: 1800,
          sameSiteAttribute: 'lax',
          secureCookieAttribute: false,
          httpOnlyCookieAttribute: false,
        },
        endpoint: {
          path: 'refresh',
          method: 'POST',
        },
      },
    },
    sessionRefresh: {
      enablePeriodically: 1000 * 30,
      enableOnWindowFocus: true,
    },
  },

Describe the bug

I have Django JWT Backed with access (5 minutes exp) & refresh token (90 days exp) the refresh token rotation is not active so I used refreshOnlyToken:true.

I want my refresh token cookie to be expired in 90 days. but I can't set maxAgeInSeconds to 60 * 60 * 24 * 90 because max time is 24 days.

what is the approach here ?

Additional context

No response

Logs

No response

phoenix-ru commented 1 day ago

because max time is 24 days.

Could you please elaborate why? Is it a technical limitation from JavaScript side, our library or Django? Afaik, browser limits on cookie age are high enough for your usecase

abolix commented 6 hours ago

I want my user to have the refresh token cookie for 90 days. because it's standard to keep the refresh token for this amount of days but I can't set the maxAgeInSeconds to 90 days. so it's gonna be expired after 24 days but it should be kept for 90.

sidebase / nuxt-auth