Merge pull request #417 from supertokens/fix/access-token-expiry

fix: update access token cookie expiry to 1 year

Author: rishabhpoddar

CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [0.22.0] - 2024-06-24
+
+### Breaking change
+
+-   The access token cookie expiry has been changed from 100 years to 1 year due to some browsers capping the maximum expiry at 400 days. No action is needed on your part.
+
 ## [0.21.0] - 2024-06-10
 - Adds caching per API based on user context.
 

recipe/session/utils.go

@@ -257,7 +257,7 @@ func ValidateAndNormaliseUserInput(appInfo supertokens.NormalisedAppinfo, config
 	return typeNormalisedInput, nil
 }
 
-var accessTokenCookiesExpiryDurationMillis uint64 = 3153600000000
+var accessTokenCookiesExpiryDurationMillis uint64 = 31536000000
 
 func normaliseSameSiteOrThrowError(sameSite string) (string, error) {
 	sameSite = strings.TrimSpace(sameSite)
@@ -325,17 +325,17 @@ func GetCurrTimeInMS() uint64 {
 
 func SetAccessTokenInResponse(config sessmodels.TypeNormalisedInput, res http.ResponseWriter, accessToken string, frontToken string, tokenTransferMethod sessmodels.TokenTransferMethod, request *http.Request, userContext supertokens.UserContext) error {
 	setFrontTokenInHeaders(res, frontToken)
-	// We set the expiration to 100 years, because we can't really access the expiration of the refresh token everywhere we are setting it.
+	// We set the expiration to 1 year, because we can't really access the expiration of the refresh token everywhere we are setting it.
 	// This should be safe to do, since this is only the validity of the cookie (set here or on the frontend) but we check the expiration of the JWT anyway.
 	// Even if the token is expired the presence of the token indicates that the user could have a valid refresh
-	// Setting them to infinity would require special case handling on the frontend and just adding 100 years seems enough.
+	// Some browsers now cap the maximum expiry at 400 days, so we set it to 1 year, which should suffice.
 	setToken(config, res, sessmodels.AccessToken, accessToken, GetCurrTimeInMS()+accessTokenCookiesExpiryDurationMillis, tokenTransferMethod, request, userContext)
 
 	if config.ExposeAccessTokenToFrontendInCookieBasedAuth && tokenTransferMethod == sessmodels.CookieTransferMethod {
-		// We set the expiration to 100 years, because we can't really access the expiration of the refresh token everywhere we are setting it.
+		// We set the expiration to 1 year, because we can't really access the expiration of the refresh token everywhere we are setting it.
 		// This should be safe to do, since this is only the validity of the cookie (set here or on the frontend) but we check the expiration of the JWT anyway.
 		// Even if the token is expired the presence of the token indicates that the user could have a valid refresh
-		// Setting them to infinity would require special case handling on the frontend and just adding 100 years seems enough.
+		// Some browsers now cap the maximum expiry at 400 days, so we set it to 1 year, which should suffice.
 		setToken(config, res, sessmodels.AccessToken, accessToken, GetCurrTimeInMS()+accessTokenCookiesExpiryDurationMillis, sessmodels.HeaderTransferMethod, request, userContext)
 	}
 	return nil

supertokens/constants.go

@@ -21,7 +21,7 @@ const (
 )
 
 // VERSION current version of the lib
-const VERSION = "0.21.0"
+const VERSION = "0.22.0"
 
 var (
 	cdiSupported = []string{"3.0"}