Skip to content

security: add 7-day expiry to session JWTs#536

Open
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/jwt-expiry
Open

security: add 7-day expiry to session JWTs#536
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/jwt-expiry

Conversation

@xpoes123

@xpoes123 xpoes123 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Session JWTs were signed with no exp claim, meaning a stolen or leaked token remained valid indefinitely. This PR adds a 7-day expiry to tokens issued by generateToken, aligned with the existing COOKIE_MAX_AGE constant in server/constants.js.

Problem

In server/authentication.js, generateToken called sign({ username, verifiedEmail }, secret) with no options object, producing tokens that never expire. A compromised token granted permanent account access regardless of when the theft occurred.

Changes

  • Passes { expiresIn: '7d' } as the third argument to sign() in generateToken.

Risk & testing

The checkToken verification path uses jsonwebtoken's verify() with a callback that returns false on any error, including TokenExpiredError — expired tokens are rejected with no failure-open path. Existing tokens without an exp claim continue to work until their session cookie expires naturally; only newly issued tokens carry the expiry. The password-reset token path (which uses its own 15-minute timestamp logic) is untouched. semistandard and node --check pass.

@xpoes123 xpoes123 changed the title security: add expiration to session JWTs security: add 7-day expiry to session JWTs Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant