fix: use exp JWT value instead of value from x-session-lifetime header

teamhanko · Sep 29, 2023 · df7940e · df7940e
1 parent 7c52dae
commit df7940e
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 8 deletions.
diff --git a/frontend/frontend-sdk/package.json b/frontend/frontend-sdk/package.json
@@ -62,6 +62,7 @@
     "typescript": "^4.9.5"
   },
   "dependencies": {
-    "@types/js-cookie": "^3.0.3"
+    "@types/js-cookie": "^3.0.3",
+    "jose": "^4.14.6"
   }
 }
diff --git a/frontend/frontend-sdk/src/lib/client/HttpClient.ts b/frontend/frontend-sdk/src/lib/client/HttpClient.ts
@@ -3,6 +3,7 @@ import { SessionState } from "../state/session/SessionState";
 import { PasscodeState } from "../state/users/PasscodeState";
 import { Dispatcher } from "../events/Dispatcher";
 import { Cookie } from "../Cookie";
+import { decodeJwt } from "jose";
 
 /**
  * This class wraps an XMLHttpRequest to maintain compatibility with the fetch API.
@@ -216,8 +217,11 @@ class HttpClient {
 
     if (jwt) {
       const secure = !!this.api.match("^https://");
-      const expires = new Date(new Date().getTime() + expirationSeconds * 1000);
-      this.cookie.setAuthCookie(jwt, { secure, expires });
+      const decodedJwt = decodeJwt(jwt);
+      this.cookie.setAuthCookie(jwt, {
+        secure,
+        expires: new Date(decodedJwt.exp * 1000),
+      });
     }
 
     this.passcodeState.read().reset(userID).write();

diff --git a/frontend/package-lock.json b/frontend/package-lock.json