Skip to content

Remove hardcoded 14-day token lifetime from auth cookie handling#3732

Open
dauglyon wants to merge 1 commit into
developfrom
fix/token-lifetime-remove-hardcoded-default
Open

Remove hardcoded 14-day token lifetime from auth cookie handling#3732
dauglyon wants to merge 1 commit into
developfrom
fix/token-lifetime-remove-hardcoded-default

Conversation

@dauglyon

@dauglyon dauglyon commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Summary

KBase is extending the login token lifetime from two weeks to four weeks. api/auth.js defined DEFAULT_TOKEN_LIFE = 14 * 24 * 60 * 60 * 1000 and used it as a fallback cookie expiration in setCookie whenever no expires was supplied. After the change, that fallback would silently keep cookies pinned to the old 14-day value.

Rather than bump the constant to 28 days, this removes it. Cookie expiry should always come from the auth service (the token's real expiration), never a hardcoded client-side lifetime.

Why this is safe

  • The production login path (setAuthToken) and logout path (removeCookie) already pass an explicit expires, so they are unaffected.
  • The only caller relying on the 14-day fallback was the localhost-only dev token-injection dialog.

Changes

  • kbase-extension/static/kbase/js/api/auth.js — remove DEFAULT_TOKEN_LIFE; setCookie now requires an integer expires and throws if one isn't provided. Docstring updated.
  • kbase-extension/static/kbase/js/narrativeLogin.js — the dev token-injection dialog now looks up the pasted token's real expiration via getTokenInfo and passes it to setCookie; an invalid/unvalidatable token is reported instead of silently setting a bad cookie.
  • test/unit/spec/api/authSpec.js — the direct setCookie call (backup-cookie simulation) now passes an explicit expires.

Context

Companion to kbase/ui#259, which updates the user-facing "two weeks" copy. Reviewed narrative + kbase-ui (all plugins); this was the only hardcoded lifetime assumption in narrative. All other expiry logic already reads the server-provided value.

setCookie fell back to a hardcoded DEFAULT_TOKEN_LIFE of 14 days when
no expiration was supplied. With the login token lifetime moving from
two weeks to four weeks, that fallback would silently keep cookies at
the old 14-day value.

The production login and logout paths already pass an explicit expires
sourced from the auth service, so they are unaffected. The only caller
relying on the fallback was the localhost dev token-injection dialog.

- Remove DEFAULT_TOKEN_LIFE and require an integer expires in setCookie
  (throws otherwise), so cookie expiry must always come from the auth
  service rather than a hardcoded client-side lifetime.
- Dev token-injection dialog now fetches the token's real expiration via
  getTokenInfo and passes it through; invalid tokens are reported.
- Update authSpec setCookie call to pass an explicit expires.
@sonarqubecloud

sonarqubecloud Bot commented Jul 7, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@dauglyon dauglyon requested review from MrCreosote and briehl July 7, 2026 19:49
@MrCreosote

Copy link
Copy Markdown
Member

I am not at all qualified to review this...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants