chore(web): make session and OAuth token lifetimes configurable#1162
Merged
brendan-kellam merged 3 commits intomainfrom Apr 30, 2026
Merged
chore(web): make session and OAuth token lifetimes configurable#1162brendan-kellam merged 3 commits intomainfrom
brendan-kellam merged 3 commits intomainfrom
Conversation
- Auth.js JWT browser sessions now respect `AUTH_SESSION_MAX_AGE_SECONDS` and `AUTH_SESSION_UPDATE_AGE_SECONDS` (defaults: 30 days / 1 day, matching Auth.js's own defaults). - OAuth flow TTLs (authorization code, access token, refresh token) now respect `OAUTH_AUTHORIZATION_CODE_TTL_SECONDS`, `OAUTH_ACCESS_TOKEN_TTL_SECONDS`, and `OAUTH_REFRESH_TOKEN_TTL_SECONDS` (defaults: 10 minutes / 1 hour / 90 days, matching the previously hard-coded values). Defaults preserve today's behavior; operators who want shorter sessions can lower these values without code changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
Contributor
WalkthroughAdds five environment variables to make authentication session lifetimes and OAuth token TTLs configurable; updates server env schema, NextAuth session config, OAuth server/token issuance to use the new env values, and documents the options in CHANGELOG and environment variables docs. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This comment has been minimized.
This comment has been minimized.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
packages/web/src/ee/features/oauth/server.ts (1)
6-12:⚠️ Potential issue | 🟠 MajorUpdate test mock to include
envfrom@sourcebot/shared.The import of
envat line 6 is used throughout the server functions (lines 41, 122, 131, 136, 187, 196, 201) to access TTL constants likeenv.OAUTH_ACCESS_TOKEN_TTL_SECONDS. The current mock at lines 12-18 in server.test.ts doesn't exportenv, causing tests to fail when these functions execute.Current incomplete mock
vi.mock('@sourcebot/shared', () => ({ hashSecret: vi.fn((s: string) => s), generateOAuthToken: vi.fn(() => ({ token: 'sboa_newtoken', hash: 'newtoken' })), generateOAuthRefreshToken: vi.fn(() => ({ token: 'sbor_newrefresh', hash: 'newrefresh' })), OAUTH_ACCESS_TOKEN_PREFIX: 'sboa_', OAUTH_REFRESH_TOKEN_PREFIX: 'sbor_', }));Add
envwith appropriate mock values, or spread the real module and override only the token generators.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@packages/web/src/ee/features/oauth/server.ts` around lines 6 - 12, Tests fail because the mock of `@sourcebot/shared` omits env used by functions like generateOAuthToken/generateOAuthRefreshToken and constants OAUTH_ACCESS_TOKEN_PREFIX/OAUTH_REFRESH_TOKEN_PREFIX; update the vi.mock in server.test.ts to include an env export (e.g., env: { OAUTH_ACCESS_TOKEN_TTL_SECONDS: <number>, OAUTH_REFRESH_TOKEN_TTL_SECONDS: <number>, OAUTH_REFRESH_TOKEN_TTL_SECONDS_REMINDER: <number>, ... } matching the keys used in server.ts) or instead import the real module and spread it while overriding only hashSecret, generateOAuthToken, and generateOAuthRefreshToken; ensure the mock exports env so calls to env.OAUTH_ACCESS_TOKEN_TTL_SECONDS and similar resolve during tests.
🧹 Nitpick comments (1)
packages/web/src/app/api/(server)/ee/oauth/token/route.ts (1)
3-3: ⚡ Quick winUse
result.expiresIninstead of readingenvagain.This keeps the route response aligned with the service return contract and avoids duplicated TTL sourcing in two layers.
Suggested simplification
-import { env, hasEntitlement } from '@sourcebot/shared'; +import { hasEntitlement } from '@sourcebot/shared'; ... - expires_in: env.OAUTH_ACCESS_TOKEN_TTL_SECONDS, + expires_in: result.expiresIn, ... - expires_in: env.OAUTH_ACCESS_TOKEN_TTL_SECONDS, + expires_in: result.expiresIn,Also applies to: 62-62, 94-94
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@packages/web/src/app/api/`(server)/ee/oauth/token/route.ts at line 3, The route currently re-reads TTL from env when building the response; instead use the service return value result.expiresIn so the route response matches the token service contract. Update any places that reference env.TOKEN_TTL / env.OAUTH_TOKEN_TTL (used when constructing the JSON response around the result object) to use result.expiresIn, and ensure the response payload uses result.expiresIn consistently (e.g., where you set expiresIn or ttl fields after calling the token generation service).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@packages/shared/src/env.server.ts`:
- Around line 147-175: The new TTL/session env vars
(AUTH_SESSION_MAX_AGE_SECONDS, AUTH_SESSION_UPDATE_AGE_SECONDS,
OAUTH_AUTHORIZATION_CODE_TTL_SECONDS, OAUTH_ACCESS_TOKEN_TTL_SECONDS,
OAUTH_REFRESH_TOKEN_TTL_SECONDS) need bounds and integer validation to prevent
negative or decimal values: update each numberSchema.default(...) to use integer
and min constraints (e.g., numberSchema.int().min(1) for values that must be
positive like AUTH_SESSION_MAX_AGE_SECONDS and the OAUTH_*_TTL_SECONDS values,
and numberSchema.int().min(0) for AUTH_SESSION_UPDATE_AGE_SECONDS since 0 is a
valid sentinel) so only non-negative (or strictly positive where required)
whole-second values are accepted.
---
Outside diff comments:
In `@packages/web/src/ee/features/oauth/server.ts`:
- Around line 6-12: Tests fail because the mock of `@sourcebot/shared` omits env
used by functions like generateOAuthToken/generateOAuthRefreshToken and
constants OAUTH_ACCESS_TOKEN_PREFIX/OAUTH_REFRESH_TOKEN_PREFIX; update the
vi.mock in server.test.ts to include an env export (e.g., env: {
OAUTH_ACCESS_TOKEN_TTL_SECONDS: <number>, OAUTH_REFRESH_TOKEN_TTL_SECONDS:
<number>, OAUTH_REFRESH_TOKEN_TTL_SECONDS_REMINDER: <number>, ... } matching the
keys used in server.ts) or instead import the real module and spread it while
overriding only hashSecret, generateOAuthToken, and generateOAuthRefreshToken;
ensure the mock exports env so calls to env.OAUTH_ACCESS_TOKEN_TTL_SECONDS and
similar resolve during tests.
---
Nitpick comments:
In `@packages/web/src/app/api/`(server)/ee/oauth/token/route.ts:
- Line 3: The route currently re-reads TTL from env when building the response;
instead use the service return value result.expiresIn so the route response
matches the token service contract. Update any places that reference
env.TOKEN_TTL / env.OAUTH_TOKEN_TTL (used when constructing the JSON response
around the result object) to use result.expiresIn, and ensure the response
payload uses result.expiresIn consistently (e.g., where you set expiresIn or ttl
fields after calling the token generation service).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5e4b9a63-2c08-4d46-9425-190c68758563
📒 Files selected for processing (6)
CHANGELOG.mddocs/docs/configuration/environment-variables.mdxpackages/shared/src/env.server.tspackages/web/src/app/api/(server)/ee/oauth/token/route.tspackages/web/src/auth.tspackages/web/src/ee/features/oauth/server.ts
brendan-kellam
deleted the
brendan/configurable-session-lifetimes-SOU-946
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes SOU-946
Summary
sessionconfig inpackages/web/src/auth.ts:AUTH_SESSION_MAX_AGE_SECONDS— default2592000(30 days)AUTH_SESSION_UPDATE_AGE_SECONDS— default86400(1 day)packages/web/src/ee/features/oauth/server.tsandpackages/web/src/app/api/(server)/ee/oauth/token/route.ts:OAUTH_AUTHORIZATION_CODE_TTL_SECONDS— default600(10 minutes)OAUTH_ACCESS_TOKEN_TTL_SECONDS— default3600(1 hour)OAUTH_REFRESH_TOKEN_TTL_SECONDS— default7776000(90 days)docs/docs/configuration/environment-variables.mdx.🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Documentation