From e6c0e2292bd056b35c9f393b7078a0422aa08d76 Mon Sep 17 00:00:00 2001
From: Trey T <trey@treymail.com>
Date: Thu, 30 Apr 2026 00:29:43 -0500
Subject: [PATCH] Fix login: don't pass expiresIn:undefined to jwt.sign
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Newer versions of jsonwebtoken reject undefined for expiresIn with
"expiresIn should be a number of seconds or string representing a timespan".
Omit the option entirely when no expiration is desired — cookie maxAge
already controls session lifetime.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 server/auth.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/auth.js b/server/auth.js
index f5d0926..8425e8f 100644
--- a/server/auth.js
+++ b/server/auth.js
@@ -13,7 +13,6 @@ import {
 
 const router = Router();
 const TOKEN_COOKIE = 'ofapp_token';
-const TOKEN_EXPIRY = undefined; // no expiration
 
 function getJwtSecret() {
   let secret = getSetting('jwt_secret');
@@ -26,7 +25,9 @@ function getJwtSecret() {
 }
 
 function signToken(userId) {
-  return jwt.sign({ userId }, getJwtSecret(), { expiresIn: TOKEN_EXPIRY });
+  // No expiration — the cookie's maxAge (~10y) controls session lifetime.
+  // Newer jsonwebtoken rejects expiresIn:undefined, so we omit the field.
+  return jwt.sign({ userId }, getJwtSecret());
 }
 
 function setTokenCookie(res, token) {