thibaud-lclr/api-client
1
0
Fork 0
Code Packages Activity Actions

fix(backend): use duration instead of timestamp for auth cookie maxAge (#5821)

Browse source 
The maxAge option in Express's res.cookie() expects a duration in milliseconds, not an absolute timestamp. The previous code was adding `Date.now()` to the validity period, causing cookies to expire decades in the future instead of the intended 1 day / 7 days.

This was particularly problematic on macOS due to stricter cookie handling by Safari/WebKit.

Addresses #5818

Co-authored-by: njg7194 <njg7194@users.noreply.github.com>
This commit is contained in:
No jae gun 2026-02-04 14:38:07 +09:00 committed by GitHub
parent 3c0938da9d
commit 2dc3463b69
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
packages/hoppscotch-backend/src/auth/helper.ts
View file

@ -58,13 +58,13 @@ export const authCookieHandler = (
httpOnly: true, httpOnly: true,
secure: configService.get('INFRA.ALLOW_SECURE_COOKIES') === 'true', secure: configService.get('INFRA.ALLOW_SECURE_COOKIES') === 'true',
sameSite: 'lax', sameSite: 'lax',
maxAge: Date.now() + accessTokenValidityInMs, maxAge: accessTokenValidityInMs,
}); });
res.cookie(AuthTokenType.REFRESH_TOKEN, authTokens.refresh_token, { res.cookie(AuthTokenType.REFRESH_TOKEN, authTokens.refresh_token, {
httpOnly: true, httpOnly: true,
secure: configService.get('INFRA.ALLOW_SECURE_COOKIES') === 'true', secure: configService.get('INFRA.ALLOW_SECURE_COOKIES') === 'true',
sameSite: 'lax', sameSite: 'lax',
maxAge: Date.now() + refreshTokenValidityInMs, maxAge: refreshTokenValidityInMs,
}); });
if (!redirect) { if (!redirect) {