search

supabase / auth-helpers

A collection of framework specific Auth utilities for working with Supabase.
https://supabase.github.io/auth-helpers/
MIT License
908 stars 232 forks source link

fix: cookie maxAge should be in seconds #776

Open hmnd opened 7 months ago

hmnd commented 7 months ago

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

Cookie maxAge is currently being set to 1000 years, since maxAge is specified in seconds, not milliseconds.

What is the new behavior?

Cookie maxAge is 365 days (1 year), below the maxAge limit of 400 days (https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-13#section-4.1.2.2)

Additional context

Sorry for creating #765 again, but I don't think it's being monitored anymore now that it is closed.

As detailed in the earlier PR, this is seriously affecting usability for us with Hono, as it's currently requiring me to re-patch @supabase/ssr every time a new update to the package is released.

j4w8n commented 7 months ago

I'm pro rfc-adherence. The only pushback I can possibly see is that the Proposed Standard rfc 6265 does not define a limit; only this new draft does.

It may have been unwise for Hono to have a hard failure for this; but at the same time, 365 days, or 400, seems reasonable and easily changeable by Supabase.

If anyone logs into a website, then closes the browser and waits a year to go back to that site, it's reasonable to expect them to log in again.

hmnd commented 6 months ago

@j4w8n fyi, Chrome, Safari, and Firefox have all agreed on this limit and at least Chrome has shipped this limit in v104. Nonetheless, I do agree that Hono shouldn't be forcing this onto its users and have thus opened an issue there too.