From 2dc3463b698fbc7cc16747c859bf0d67b81be59b Mon Sep 17 00:00:00 2001
From: No jae gun <32046070+njg7194@users.noreply.github.com>
Date: Wed, 4 Feb 2026 14:38:07 +0900
Subject: [PATCH] fix(backend): use duration instead of timestamp for auth
 cookie maxAge (#5821)

The maxAge option in Express's res.cookie() expects a duration in milliseconds, not an absolute timestamp. The previous code was adding `Date.now()` to the validity period, causing cookies to expire decades in the future instead of the intended 1 day / 7 days.

This was particularly problematic on macOS due to stricter cookie handling by Safari/WebKit.

Addresses #5818

Co-authored-by: njg7194 <njg7194@users.noreply.github.com>
---
 packages/hoppscotch-backend/src/auth/helper.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/hoppscotch-backend/src/auth/helper.ts b/packages/hoppscotch-backend/src/auth/helper.ts
index c417fb26..0f58b8be 100644
--- a/packages/hoppscotch-backend/src/auth/helper.ts
+++ b/packages/hoppscotch-backend/src/auth/helper.ts
@@ -58,13 +58,13 @@ export const authCookieHandler = (
     httpOnly: true,
     secure: configService.get('INFRA.ALLOW_SECURE_COOKIES') === 'true',
     sameSite: 'lax',
-    maxAge: Date.now() + accessTokenValidityInMs,
+    maxAge: accessTokenValidityInMs,
   });
   res.cookie(AuthTokenType.REFRESH_TOKEN, authTokens.refresh_token, {
     httpOnly: true,
     secure: configService.get('INFRA.ALLOW_SECURE_COOKIES') === 'true',
     sameSite: 'lax',
-    maxAge: Date.now() + refreshTokenValidityInMs,
+    maxAge: refreshTokenValidityInMs,
   });
 
   if (!redirect) {