feat: Refresh Token for improved Session Security (#927)

* feat(api): refresh token logic * feat(client): refresh token logic * feat(data-provider): refresh token logic * fix: SSE uses esm * chore: add default refresh token expiry to AuthService, add message about env var not set when generating a token * chore: update scripts to more compatible bun methods, ran bun install again * chore: update env.example and playwright workflow with JWT_REFRESH_SECRET * chore: update breaking changes docs * chore: add timeout to url visit * chore: add default SESSION_EXPIRY in generateToken logic, add act script for testing github actions * fix(e2e): refresh automatically in development environment to pass e2e tests
2025-12-30 15:18:50 +01:00 · 2023-09-11 13:10:46 -04:00 · 2023-09-11 13:10:46 -04:00 · 33f087d38f
commit 33f087d38f
parent 75be9a3279
31 changed files with 420 additions and 232 deletions
--- a/docs/general_info/breaking_changes.md
+++ b/docs/general_info/breaking_changes.md
@ -5,7 +5,11 @@
 Certain changes in the updates may impact cookies, leading to unexpected behaviors if not cleared properly.

 ## v0.5.8
-**If you have issues after updating, please try to clear your browser cache and cookies!**
+
+- It's now required to set a JWT_REFRESH_SECRET in your .env file as of [#927](https://github.com/danny-avila/LibreChat/pull/927)
+  - It's also recommended you set REFRESH_TOKEN_EXPIRY or the default value will be used.
+
+## v0.5.8

 - It's now required to name manifest JSON files (for [ChatGPT Plugins](..\features\plugins\chatgpt_plugins_openapi.md)) in the `api\app\clients\tools\.well-known` directory after their `name_for_model` property should you add one yourself.
    - This was a recommended convention before, but is now required.