Open Rudolf-Dudarev opened 2 months ago
I'm pretty sure I know what's going on here.
The ssr library is overwriting the maxAge
, set via options, to their default of 1000 years. However, Chrome is now adhering to RFC6265bis and lowering it to 400 days when setting the cookie.
There is a PR from a community member to get the default lowered to 365 or 400, but has not gotten any traction in the past.
Nonetheless, there is also an issue of the ssr library overriding what devs are setting. I assume this is by design, but I'm unsure why.
Is there any update when this issue might be handled? It's quite concerning that we can't set a shorter expiry time than 1 year for the access token.
@j4w8n @encima Sorry to ping you, but it does seem like a meaningful security issue that the JWT doesn't expire for a year. I read Supabase docs and everything related to JWTs, it seems that leaving that cookie for a year in client's browser makes it very vulnerable to token theft. As this post hasn't received much attention, I am curious if it could be just an issue with our setup. It's especially concerning for our company as we migrated our e-commerce backend to Supabase and are about to go live. I see that it's not just a local development issue as the setting from our staging Supabase instance also sets the expiry of the cookie to 1 year, overriding the settings.
@Rudolf-Dudarev I think the auth team has been pretty busy with some high-priority features, and I'm guessing they've had to triage other items like this one. Hopefully they will chime-in by early September, if not sooner; but I have no idea.
Thanks @j4w8n for jumping in here.
Here's more context around the fixed value and lack of configurability in the library
We recently updated it to 400 days
Main goal of the long time is to ensure Supabase Auth session expires before the max-age is reached, so as to guard against random logouts.
Bug report
Describe the bug
The
supabase/ssr
methodcreateServerClient
ignorescookieOptions
propertymaxAge
. Not only that but theconfig.toml
propertyjwt_expiry
is also ignored when setting the auth cookie expiry. So we get cookies set withExpires / Max-Age
of about 1 year. I have a Next.js app where this is observed.To Reproduce
config.toml
, set thejwt_expiry
to a low value, e.g.,300
(5min)cokieOptions
object with themaxAge
property in the server client config object with a low value, e.g.,300.
.signInAnonymousley()
orsignInWithPassword()
on the server side.cookieOptions
or theconfig.toml
.I observed this issue in my supabase server client utility function:
Expected behavior
The set cookie has an expiry matching the
jwt_expiry
field inconfig.toml
or is overriden and matches themaxAge
property set in thecreateServerClient
configcookieOptions
.Screenshots
System information
Additional context
Using Next.js 14.