edgedb-js icon indicating copy to clipboard operation
edgedb-js copied to clipboard
verified publisher icon edgedb

Expire cookies with token or PKCE TTL

Open scotttrinh opened this issue 1 year ago • 0 comments

Get the expiration date from the auth token and set the cookie to expire when the token itself expires.

PKCE sessions are slightly different. In some contexts, we do not start the session itself until a middle point in the flow, like with email verification, the session starts on the auth server once the verification token is sent to the server, not when the email is sent by the server to the email recipient. Since the verification token has a lifespan of 24 hours at the moment, the expiration is longer than the PKCE session lifespan which is currently 10 minutes. So instead of trying to chase the smallest window of time we can, we set it to a reasonable level: one week after which the PKCE verifier cookie is expired, requiring whatever flow has begun to be retried.

Closes #990

scotttrinh avatar May 02 '24 16:05 scotttrinh