Skip to content

fix: Ensure JWE expires as expected #2040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: Ensure JWE expires as expected #2040

wants to merge 1 commit into from

Conversation

frederikprijck
Copy link
Member

@frederikprijck frederikprijck commented Apr 7, 2025
edited
Loading

The JWE we use for the cookie was never expiring properly, only the cookie had an expiration configured.
This means that the actual value of the cookie, the JWE, is still valid after the cookie is expired.

This PR ensures the JWE expires, in addition to cookie itself and aligns both expirations.

Adding the expiration to the JWE made alot of the tests fail because all tests had a fixed check on the JWE payload, but we have now added an additional expiration property. Therefore, I have changed the tests to use expect.objectContaining()

@codecov-commenter
Copy link

codecov-commenter commented Apr 7, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 86.66667% with 2 lines in your changes missing coverage. Please review.

Project coverage is 78.51%. Comparing base (dbfd502) to head (2179d75).

Files with missing lines Patch % Lines
src/server/session/stateless-session-store.ts 50.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2040      +/-   ##
==========================================
+ Coverage   78.47%   78.51%   +0.04%     
==========================================
  Files          21       21              
  Lines        1909     1918       +9     
  Branches      307      307              
==========================================
+ Hits         1498     1506       +8     
- Misses        405      406       +1     
  Partials        6        6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

frederikprijck
frederikprijck commented Apr 7, 2025
View reviewed changes
src/server/cookies.ts
@@ -31,6 +32,7 @@ export async function encrypt(

const encryptedCookie = await new jose.EncryptJWT(payload)
.setProtectedHeader({ enc: ENC, alg: ALG, ...additionalHeaders })
.setExpirationTime(expiration)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the main thing this PR is fixing. The rest is just accommodating for this change.

tusharpandey13
tusharpandey13 previously approved these changes Apr 7, 2025
View reviewed changes
@frederikprijck frederikprijck marked this pull request as ready for review April 15, 2025 06:18
@frederikprijck frederikprijck requested a review from a team as a code owner April 15, 2025 06:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tusharpandey13 tusharpandey13 tusharpandey13 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@frederikprijck @codecov-commenter @tusharpandey13