feat: Refresh Token for improved Session Security (#927)

* feat(api): refresh token logic * feat(client): refresh token logic * feat(data-provider): refresh token logic * fix: SSE uses esm * chore: add default refresh token expiry to AuthService, add message about env var not set when generating a token * chore: update scripts to more compatible bun methods, ran bun install again * chore: update env.example and playwright workflow with JWT_REFRESH_SECRET * chore: update breaking changes docs * chore: add timeout to url visit * chore: add default SESSION_EXPIRY in generateToken logic, add act script for testing github actions * fix(e2e): refresh automatically in development environment to pass e2e tests
2025-12-17 00:40:14 +01:00 · 2023-09-11 13:10:46 -04:00 · 2023-09-11 13:10:46 -04:00 · 33f087d38f
commit 33f087d38f
parent 75be9a3279
31 changed files with 420 additions and 232 deletions
--- a/.env.example
+++ b/.env.example
@ -226,8 +226,10 @@ ALLOW_SOCIAL_LOGIN=false
 ALLOW_SOCIAL_REGISTRATION=false

 # JWT Secrets
-JWT_SECRET=secret
-JWT_REFRESH_SECRET=secret
+# You should use secure values. The examples given are 32-byte keys (64 characters in hex)
+# Use this replit to generate some quickly: https://replit.com/@daavila/crypto#index.js
+JWT_SECRET=16f8c0ef4a5d391b26034086c628469d3f9f497f08163ab9b40137092f2909ef
+JWT_REFRESH_SECRET=eaa5191f2914e30b9387fd84e254e4ba6fc51b4654968a9b0803b456a54b8418

 # Google:
 # Add your Google Client ID and Secret here, you must register an app with Google Cloud to get these values
@ -260,8 +262,10 @@ OPENID_BUTTON_LABEL=
 OPENID_IMAGE_URL=

 # Set the expiration delay for the secure cookie with the JWT token
+# Recommend session expiry to be 15 minutes
 # Delay is in millisecond e.g. 7 days is 1000*60*60*24*7
-SESSION_EXPIRY=(1000 * 60 * 60 * 24) * 7
+SESSION_EXPIRY=1000 * 60 * 15
+REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7

 # Github:
 # Get the Client ID and Secret from your Discord Application