fix(#414): update session config to 7d absolute, 2h idle timeout
All checks were successful
ci/woodpecker/push/api Pipeline was successful
All checks were successful
ci/woodpecker/push/api Pipeline was successful
- expiresIn: 7 days (was 24 hours) - updateAge: 2 hours idle timeout with sliding window - Explicit cookie attributes: httpOnly, secure in production, sameSite=lax - Existing sessions expire naturally under old rules Refs #414 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
@@ -130,6 +130,46 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* Build the list of trusted origins from environment variables.
|
||||
*
|
||||
* Sources (in order):
|
||||
* - NEXT_PUBLIC_APP_URL — primary frontend URL
|
||||
* - NEXT_PUBLIC_API_URL — API's own origin
|
||||
* - TRUSTED_ORIGINS — comma-separated additional origins
|
||||
* - localhost fallbacks — only when NODE_ENV !== "production"
|
||||
*
|
||||
* The returned list is deduplicated and empty strings are filtered out.
|
||||
*/
|
||||
export function getTrustedOrigins(): string[] {
|
||||
const origins: string[] = [];
|
||||
|
||||
// Environment-driven origins
|
||||
if (process.env.NEXT_PUBLIC_APP_URL) {
|
||||
origins.push(process.env.NEXT_PUBLIC_APP_URL);
|
||||
}
|
||||
|
||||
if (process.env.NEXT_PUBLIC_API_URL) {
|
||||
origins.push(process.env.NEXT_PUBLIC_API_URL);
|
||||
}
|
||||
|
||||
// Comma-separated additional origins
|
||||
if (process.env.TRUSTED_ORIGINS) {
|
||||
const extra = process.env.TRUSTED_ORIGINS.split(",")
|
||||
.map((o) => o.trim())
|
||||
.filter((o) => o !== "");
|
||||
origins.push(...extra);
|
||||
}
|
||||
|
||||
// Localhost fallbacks for development only
|
||||
if (process.env.NODE_ENV !== "production") {
|
||||
origins.push("http://localhost:3000", "http://localhost:3001");
|
||||
}
|
||||
|
||||
// Deduplicate and filter empty strings
|
||||
return [...new Set(origins)].filter((o) => o !== "");
|
||||
}
|
||||
|
||||
export function createAuth(prisma: PrismaClient) {
|
||||
// Validate OIDC configuration at startup - fail fast if misconfigured
|
||||
validateOidcConfig();
|
||||
@@ -144,15 +184,17 @@ export function createAuth(prisma: PrismaClient) {
|
||||
},
|
||||
plugins: [...getOidcPlugins()],
|
||||
session: {
|
||||
expiresIn: 60 * 60 * 24, // 24 hours
|
||||
updateAge: 60 * 60 * 24, // 24 hours
|
||||
expiresIn: 60 * 60 * 24 * 7, // 7 days absolute max
|
||||
updateAge: 60 * 60 * 2, // 2 hours idle timeout (sliding window)
|
||||
},
|
||||
trustedOrigins: [
|
||||
process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000",
|
||||
"http://localhost:3001", // API origin (dev)
|
||||
"https://app.mosaicstack.dev", // Production web
|
||||
"https://api.mosaicstack.dev", // Production API
|
||||
],
|
||||
advanced: {
|
||||
defaultCookieAttributes: {
|
||||
httpOnly: true,
|
||||
secure: process.env.NODE_ENV === "production",
|
||||
sameSite: "lax" as const,
|
||||
},
|
||||
},
|
||||
trustedOrigins: getTrustedOrigins(),
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user