nextauthjs
Allow the maxAge/expires applied to the cookies to be configurable
Description 📓
Currently the maxAge on the jwt and the expires on the cookie options are being set to a hard coded 15 minutes.
pkce
defined here
https://github.com/nextauthjs/next-auth/blob/e4ee520b4aba55fbc123801291bcba404f578d3f/packages/next-auth/src/core/lib/oauth/pkce-handler.ts#L7
set as expires here
https://github.com/nextauthjs/next-auth/blob/e4ee520b4aba55fbc123801291bcba404f578d3f/packages/next-auth/src/core/lib/oauth/pkce-handler.ts#L30
overwrites the jwt maxAge option here
https://github.com/nextauthjs/next-auth/blob/e4ee520b4aba55fbc123801291bcba404f578d3f/packages/next-auth/src/core/lib/oauth/pkce-handler.ts#L35
state
defined here
https://github.com/nextauthjs/next-auth/blob/e4ee520b4aba55fbc123801291bcba404f578d3f/packages/next-auth/src/core/lib/oauth/state-handler.ts#L6
set as expires here
https://github.com/nextauthjs/next-auth/blob/e4ee520b4aba55fbc123801291bcba404f578d3f/packages/next-auth/src/core/lib/oauth/state-handler.ts#L30
overwrites the jwt maxAge option here
https://github.com/nextauthjs/next-auth/blob/e4ee520b4aba55fbc123801291bcba404f578d3f/packages/next-auth/src/core/lib/oauth/state-handler.ts#L23
proposal
Add a new option for stateMaxAge and pkceMaxAge on the jwt options. If these are not set the 15 minute default mentioned above would be used.
Similar changes in pkce-handler.js
reason
We are using fusionAuth with 2fa that emails a code. We have a client that is using an smtp that is taking 15 minutes to deliver the email with the code. This delay prevents the client from being able to submit the 2fa code to finish the log in process because the hard coded max age and expires of 15 minutes has already been reached. We need to be able to extend that time so that the client has enough time to receive and submit the 2fa code.
How to reproduce ☕️
To reproduce bring up the log in page for any application using next-auth and let the page sit for over 15 minutes and then log in.
Contributing 🙌🏽
Yes, I am willing to help implement this feature in a PR
pkce and state are not utilized when logging in with e-mail, as these are part of the OAuth spec.
Are you using the FusionAuth or Email provider? Could you clarify?
I am using FusionAuth.
FusionAuth is emailing a 2fa code after entering credentials on the log in page.
There is no redirect back to our app between those screens. This flow stays in FusionAuth between login and 2fa.
Thanks, that clarifies it! So from next-auth's perspective, you still use OAuth. :+1: In that case, I think the correct place to add these changes would be here:
https://github.com/nextauthjs/next-auth/blob/e4ee520b4aba55fbc123801291bcba404f578d3f/packages/next-auth/src/core/lib/cookie.ts#L87-L102
And let's reuse the default values from the files above you identified (pkce-handler, state-handler). Those files must also be updated.
Do you want to open a PR?
Yes I will open a PR.
If I run into issues building/running next-auth locally should I ask questions here or on the PR?
It looks like this issue did not receive any activity for 60 days. It will be closed in 7 days if no further activity occurs. If you think your issue is still relevant, commenting will keep it open. Thanks!
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Still waiting on this #4719 to be merged so this can be closed.