sidebase
Refresh Token Expire Date
Environment
- Operating System: Linux
- Node Version: v23.2.0
- Nuxt Version: 3.14.159
- CLI Version: 3.15.0
- Nitro Version: 2.10.4
- Package Manager: [email protected]
- Builder: -
- User Config: default
- Runtime Modules: @pinia/[email protected], @nuxt/[email protected], @nuxt/[email protected], [email protected], @nuxt/[email protected], @nuxt/[email protected], @sidebase/[email protected]
- Build Modules: -
Reproduction
auth: {
isEnabled: true,
globalAppMiddleware: true,
baseURL: 'http://127.0.0.1:8000/userarea/',
provider: {
type: 'local',
token: {
signInResponseTokenPointer: '/access',
type: 'Bearer',
cookieName: 'auth.access',
headerName: 'Authorization',
maxAgeInSeconds: 60 * 3,
sameSiteAttribute: 'lax',
secureCookieAttribute: false,
httpOnlyCookieAttribute: false,
},
endpoints: {
signIn: { path: 'login', method: 'POST' },
signOut: { path: 'logout', method: 'POST' },
getSession: { path: 'user-info', method: 'GET' },
signUp: false
},
refresh: {
isEnabled:true,
refreshOnlyToken: true,
token: {
signInResponseRefreshTokenPointer: '/refresh',
refreshRequestTokenPointer: '/refresh',
cookieName: 'auth.refresh',
maxAgeInSeconds: 1800,
sameSiteAttribute: 'lax',
secureCookieAttribute: false,
httpOnlyCookieAttribute: false,
},
endpoint: {
path: 'refresh',
method: 'POST',
},
},
},
sessionRefresh: {
enablePeriodically: 1000 * 30,
enableOnWindowFocus: true,
},
},
Describe the bug
I have Django JWT Backed with access (5 minutes exp) & refresh token (90 days exp)
the refresh token rotation is not active so I used refreshOnlyToken:true.
I want my refresh token cookie to be expired in 90 days. but I can't set maxAgeInSeconds to 60 * 60 * 24 * 90 because max time is 24 days.
what is the approach here ?
Additional context
No response
Logs
No response
because max time is 24 days.
Could you please elaborate why? Is it a technical limitation from JavaScript side, our library or Django? Afaik, browser limits on cookie age are high enough for your usecase
I want my user to have the refresh token cookie for 90 days. because it's standard to keep the refresh token for this amount of days but I can't set the maxAgeInSeconds to 90 days. so it's gonna be expired after 24 days but it should be kept for 90.
I don't understand what you mean? You mean that the max delay argument supplied to the setInterval function is 24.8 days?
https://developer.mozilla.org/en-US/docs/Web/API/Window/setInterval#return_value
https://github.com/sidebase/nuxt-auth/blob/218a8465fd01fbf70562ab4cc1083dea3931d1a1/src/runtime/utils/refreshHandler.ts#L46-L52
Yes, it's logical that you can't set the timer longer than 24 days, but you have to keep in mind that setInterval is only valid while the browser tab is active and it won't persist across reloads. As it's highly improbably of anyone keeping the tab open for over 24 days (or your 90 days), I am not sure what exactly are you trying to achieve?
Maybe a better implementation would've been to set the interval to the actual expiry date of the refresh token, but that's another story.
Adding to it, I have also checked the useCookie implementation in Nuxt, which in turn uses cookie-es. Their implementation explicitly checks the maxAge:
https://github.com/unjs/cookie-es/blob/d83ac9456e1dae5033abb187017d5b43f982b17b/src/cookie/serialize.ts#L51-L59
Are you getting any errors from cookie-es? The value you want to use is absolutely correct and shouldn't trigger any issues. Please verify that the issue is not in your setup.