Refresh Token Expire Date

[abolix]

Environment

• Operating System: Linux
• Node Version: v23.2.0
• Nuxt Version: 3.14.159
• CLI Version: 3.15.0
• Nitro Version: 2.10.4
• Package Manager: [email protected]
• Builder: -
• User Config: default
• Runtime Modules: @pinia/[email protected], @nuxt/[email protected], @nuxt/[email protected], [email protected], @nuxt/[email protected], @nuxt/[email protected], @sidebase/[email protected]
• Build Modules: -

Reproduction

  auth: {
    isEnabled: true,
    globalAppMiddleware: true,
    baseURL: 'http://127.0.0.1:8000/userarea/',
    provider: {
      type: 'local',
      token: {
        signInResponseTokenPointer: '/access',
        type: 'Bearer',
        cookieName: 'auth.access',
        headerName: 'Authorization',
        maxAgeInSeconds: 60 * 3,
        sameSiteAttribute: 'lax',
        secureCookieAttribute: false,
        httpOnlyCookieAttribute: false,
      },
      endpoints: {
        signIn: { path: 'login', method: 'POST' },
        signOut: { path: 'logout', method: 'POST' },
        getSession: { path: 'user-info', method: 'GET' },
        signUp: false
      },
      refresh: {
        isEnabled:true,
        refreshOnlyToken: true,
        token: {
          signInResponseRefreshTokenPointer: '/refresh',
          refreshRequestTokenPointer: '/refresh',
          cookieName: 'auth.refresh',
          maxAgeInSeconds: 1800,
          sameSiteAttribute: 'lax',
          secureCookieAttribute: false,
          httpOnlyCookieAttribute: false,
        },
        endpoint: {
          path: 'refresh',
          method: 'POST',
        },
      },
    },
    sessionRefresh: {
      enablePeriodically: 1000 * 30,
      enableOnWindowFocus: true,
    },
  },

Describe the bug

I have Django JWT Backed with access (5 minutes exp) & refresh token (90 days exp)
the refresh token rotation is not active so I used refreshOnlyToken:true.

I want my refresh token cookie to be expired in 90 days. but I can't set maxAgeInSeconds to 60 * 60 * 24 * 90 because max time is 24 days.

what is the approach here ?

Additional context

No response

Logs

No response

[phoenix-ru]

because max time is 24 days.

Could you please elaborate why? Is it a technical limitation from JavaScript side, our library or Django? Afaik, browser limits on cookie age are high enough for your usecase

[abolix]

I want my user to have the refresh token cookie for 90 days. because it's standard to keep the refresh token for this amount of days but I can't set the maxAgeInSeconds to 90 days. so it's gonna be expired after 24 days but it should be kept for 90.

[phoenix-ru]

I don't understand what you mean? You mean that the max delay argument supplied to the setInterval function is 24.8 days?
https://developer.mozilla.org/en-US/docs/Web/API/Window/setInterval#return_value

nuxt-auth/src/runtime/utils/refreshHandler.ts

Lines 46 to 52 in 218a846

	const intervalTime = provider.refresh.token.maxAgeInSeconds * 1000
	this.refreshTokenIntervalTimer = setInterval(() => {
	if (this.auth?.refreshToken.value) {
	this.auth.refresh()
	}
	}, intervalTime)

Yes, it's logical that you can't set the timer longer than 24 days, but you have to keep in mind that setInterval is only valid while the browser tab is active and it won't persist across reloads. As it's highly improbably of anyone keeping the tab open for over 24 days (or your 90 days), I am not sure what exactly are you trying to achieve?

Maybe a better implementation would've been to set the interval to the actual expiry date of the refresh token, but that's another story.

---

Adding to it, I have also checked the useCookie implementation in Nuxt, which in turn uses cookie-es. Their implementation explicitly checks the maxAge:
https://github.com/unjs/cookie-es/blob/d83ac9456e1dae5033abb187017d5b43f982b17b/src/cookie/serialize.ts#L51-L59

Are you getting any errors from cookie-es? The value you want to use is absolutely correct and shouldn't trigger any issues. Please verify that the issue is not in your setup.