admin/OFApp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix login: don't pass expiresIn:undefined to jwt.sign

Browse Source 
Newer versions of jsonwebtoken reject undefined for expiresIn with
"expiresIn should be a number of seconds or string representing a timespan".
Omit the option entirely when no expiration is desired — cookie maxAge
already controls session lifetime.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Trey T
2026-04-30 00:29:43 -05:00
parent b75b6542d9
commit e6c0e2292b
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/auth.js
+3 -2
View File
@@ -13,7 +13,6 @@ import {
const router = Router();
const TOKEN_COOKIE = 'ofapp_token';
const TOKEN_EXPIRY = undefined; // no expiration
function getJwtSecret() {
let secret = getSetting('jwt_secret');
@@ -26,7 +25,9 @@ function getJwtSecret() {
}
function signToken(userId) {
return jwt.sign({ userId }, getJwtSecret(), { expiresIn: TOKEN_EXPIRY });
// No expiration — the cookie's maxAge (~10y) controls session lifetime.
// Newer jsonwebtoken rejects expiresIn:undefined, so we omit the field.
return jwt.sign({ userId }, getJwtSecret());
}
function setTokenCookie(res, token) {