Skip to content

fix(jwt): derive refresh cookie TTL from server's refresh_expires_at#35

Merged
kennethphough merged 1 commit into
masterfrom
fix/refresh-cookie-ttl
May 28, 2026
Merged

fix(jwt): derive refresh cookie TTL from server's refresh_expires_at#35
kennethphough merged 1 commit into
masterfrom
fix/refresh-cookie-ttl

Conversation

@kennethphough

Copy link
Copy Markdown
Member

Summary

  • _jwtStoreTokens hardcoded the kyte_jwt_refresh cookie to a 30-day TTL regardless of server-side refresh-token expiry. With kyte-php 4.5.0 dropping server refresh TTL to 4h, this leaves a "zombie" cookie that long outlives server validity — an idle tab looks logged in under a dead session.
  • Fix: derive cookie TTL from response.refresh_expires_at; fall back to a browser-session cookie when the server omits it.
  • v2.0.1 → v2.0.2.

Test plan

  • tests/kyte.test.js: TTL matches refresh_expires_at; missing field → session cookie; 30-day literal regression guard
  • All 17 tests pass
  • Verified on dev device 19 — fresh login cookie Expires now lands ~4h out (was 30d)

🤖 Generated with Claude Code

_jwtStoreTokens hardcoded the kyte_jwt_refresh cookie to a 30-day TTL
regardless of the server's actual refresh-token expiration. With
server-side TTL at 7d (4.4.x) the cookie outlived validity by 23
days; with kyte-php 4.5.0 dropping server-side default to 4h, the
mismatch becomes a real "zombie cookie" problem — closing the browser
leaves a refresh cookie the server has long stopped honoring.

Fix: derive minutes-until-expiry from response.refresh_expires_at
(unix seconds, set by /jwt/login + /jwt/refresh). Cookie now expires
in lockstep with the server-side refresh token. If the server omits
refresh_expires_at, fall through to a browser-session cookie (null
minutes → no expires header) — safer-by-default than the old 30-day
hardcode; user logs out when they close the browser.

Tests: three new cases in tests/kyte.test.js — TTL matches
refresh_expires_at, missing field → session cookie, 30-day literal
regression guard.

Pair with kyte-php 4.5.0 — the server-side family lifetime cap
combined with this cookie-TTL fix gives end-to-end session bounds.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@kennethphough
kennethphough merged commit aeb0f78 into master May 28, 2026
3 checks passed
@kennethphough
kennethphough deleted the fix/refresh-cookie-ttl branch May 28, 2026 06:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant