fix: update access token cookie expiry to 1 year

supertokens · Jun 24, 2024 · f1df994 · f1df994
1 parent 85fbac6
commit f1df994
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [0.21.1] - 2024-06-24
+
+-   Updated the access token cookie expiry to 1 year.
+
 ## [0.21.0] - 2024-06-10
 - Adds caching per API based on user context.
 

diff --git a/recipe/session/utils.go b/recipe/session/utils.go
@@ -257,7 +257,7 @@ func ValidateAndNormaliseUserInput(appInfo supertokens.NormalisedAppinfo, config
 	return typeNormalisedInput, nil
 }
 
-var accessTokenCookiesExpiryDurationMillis uint64 = 3153600000000
+var accessTokenCookiesExpiryDurationMillis uint64 = 31536000000
 
 func normaliseSameSiteOrThrowError(sameSite string) (string, error) {
 	sameSite = strings.TrimSpace(sameSite)
@@ -325,17 +325,17 @@ func GetCurrTimeInMS() uint64 {
 
 func SetAccessTokenInResponse(config sessmodels.TypeNormalisedInput, res http.ResponseWriter, accessToken string, frontToken string, tokenTransferMethod sessmodels.TokenTransferMethod, request *http.Request, userContext supertokens.UserContext) error {
 	setFrontTokenInHeaders(res, frontToken)
-	// We set the expiration to 100 years, because we can't really access the expiration of the refresh token everywhere we are setting it.
+	// We set the expiration to 1 year, because we can't really access the expiration of the refresh token everywhere we are setting it.
 	// This should be safe to do, since this is only the validity of the cookie (set here or on the frontend) but we check the expiration of the JWT anyway.
 	// Even if the token is expired the presence of the token indicates that the user could have a valid refresh
-	// Setting them to infinity would require special case handling on the frontend and just adding 100 years seems enough.
+	// Some browsers have started capping the expiry to 400 days. Setting it to 1 year should be enough.
 	setToken(config, res, sessmodels.AccessToken, accessToken, GetCurrTimeInMS()+accessTokenCookiesExpiryDurationMillis, tokenTransferMethod, request, userContext)
 
 	if config.ExposeAccessTokenToFrontendInCookieBasedAuth && tokenTransferMethod == sessmodels.CookieTransferMethod {
-		// We set the expiration to 100 years, because we can't really access the expiration of the refresh token everywhere we are setting it.
+		// We set the expiration to 1 year, because we can't really access the expiration of the refresh token everywhere we are setting it.
 		// This should be safe to do, since this is only the validity of the cookie (set here or on the frontend) but we check the expiration of the JWT anyway.
 		// Even if the token is expired the presence of the token indicates that the user could have a valid refresh
-		// Setting them to infinity would require special case handling on the frontend and just adding 100 years seems enough.
+		// Some browsers have started capping the expiry to 400 days. Setting it to 1 year should be enough.
 		setToken(config, res, sessmodels.AccessToken, accessToken, GetCurrTimeInMS()+accessTokenCookiesExpiryDurationMillis, sessmodels.HeaderTransferMethod, request, userContext)
 	}
 	return nil

diff --git a/supertokens/constants.go b/supertokens/constants.go
@@ -21,7 +21,7 @@ const (
 )
 
 // VERSION current version of the lib
-const VERSION = "0.21.0"
+const VERSION = "0.21.1"
 
 var (
 	cdiSupported = []string{"3.0"}