fix(jwt): derive refresh cookie TTL from server's refresh_expires_at#35
Merged
Conversation
_jwtStoreTokens hardcoded the kyte_jwt_refresh cookie to a 30-day TTL regardless of the server's actual refresh-token expiration. With server-side TTL at 7d (4.4.x) the cookie outlived validity by 23 days; with kyte-php 4.5.0 dropping server-side default to 4h, the mismatch becomes a real "zombie cookie" problem — closing the browser leaves a refresh cookie the server has long stopped honoring. Fix: derive minutes-until-expiry from response.refresh_expires_at (unix seconds, set by /jwt/login + /jwt/refresh). Cookie now expires in lockstep with the server-side refresh token. If the server omits refresh_expires_at, fall through to a browser-session cookie (null minutes → no expires header) — safer-by-default than the old 30-day hardcode; user logs out when they close the browser. Tests: three new cases in tests/kyte.test.js — TTL matches refresh_expires_at, missing field → session cookie, 30-day literal regression guard. Pair with kyte-php 4.5.0 — the server-side family lifetime cap combined with this cookie-TTL fix gives end-to-end session bounds. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
_jwtStoreTokenshardcoded thekyte_jwt_refreshcookie to a 30-day TTL regardless of server-side refresh-token expiry. With kyte-php 4.5.0 dropping server refresh TTL to 4h, this leaves a "zombie" cookie that long outlives server validity — an idle tab looks logged in under a dead session.response.refresh_expires_at; fall back to a browser-session cookie when the server omits it.Test plan
tests/kyte.test.js: TTL matchesrefresh_expires_at; missing field → session cookie; 30-day literal regression guard🤖 Generated with Claude Code