Do not send refresh token. All access tokens will be capped at 1h

maparent · maparent · commit cc87e8236d66 · 2026-05-07T10:52:01.000-04:00
diff --git a/apps/obsidian/src/components/AdminPanelSettings.tsx b/apps/obsidian/src/components/AdminPanelSettings.tsx
@@ -15,7 +15,6 @@ export const AdminPanelSettings = () => {
     plugin.settings.username || "",
   );
   const [accessToken, setAccessToken] = useState<string | null>(null);
-  const [refreshToken, setRefreshToken] = useState<string | null>(null);
   useEffect(() => {
     if (syncModeEnabled) {
       const fetchTokens = async () => {
@@ -24,14 +23,12 @@ export const AdminPanelSettings = () => {
           const session = await client.auth.getSession();
           if (session.data.session) {
             setAccessToken(session.data.session.access_token);
-            setRefreshToken(session.data.session.refresh_token);
           }
         }
       };
       void fetchTokens();
     } else {
       setAccessToken(null);
-      setRefreshToken(null);
     }
   }, [syncModeEnabled, plugin]);
 
@@ -102,23 +99,19 @@ export const AdminPanelSettings = () => {
           />
         </div>
       </div>
-      <div
-        className={
-          "setting-item " + (accessToken && refreshToken ? "" : "hidden")
-        }
-      >
+      <div className={"setting-item " + (accessToken ? "" : "hidden")}>
         <div className="setting-item-info">
           <div className="setting-item-name">Group management</div>
           <div className="setting-item-description">
             This will allow you to view and manage your sharing groups
           </div>
         </div>
         <div className="setting-item-control">
-          {accessToken && refreshToken && (
+          {accessToken && (
             <button
               onClick={() => {
                 window.open(
-                  `${nextRoot()}/auth/token?t=${accessToken}&r=${refreshToken}&url=/`,
+                  `${nextRoot()}/auth/token?t=${accessToken}&url=/`,
                   "_blank",
                 );
               }}
diff --git a/apps/roam/src/components/settings/AdminPanel.tsx b/apps/roam/src/components/settings/AdminPanel.tsx
@@ -268,8 +268,6 @@ const FeatureFlagsTab = (): React.ReactElement => {
     getFeatureFlag("Suggestive mode overlay enabled"),
   );
   const [accessToken, setAccessToken] = useState<string | null>(null);
-  const [refreshToken, setRefreshToken] = useState<string | null>(null);
-  //const syncAlreadyEnabled = duplicateNodeAlertValue || suggestiveOverlayValue;
   useEffect(() => {
     if (duplicateNodeAlertValue || suggestiveOverlayValue) {
       const fetchTokens = async () => {
@@ -278,14 +276,12 @@ const FeatureFlagsTab = (): React.ReactElement => {
           const session = await client.auth.getSession();
           if (session.data.session) {
             setAccessToken(session.data.session.access_token);
-            setRefreshToken(session.data.session.refresh_token);
           }
         }
       };
       void fetchTokens();
     } else {
       setAccessToken(null);
-      setRefreshToken(null);
     }
   }, [duplicateNodeAlertValue, suggestiveOverlayValue]);
 
@@ -413,13 +409,13 @@ const FeatureFlagsTab = (): React.ReactElement => {
       >
         Send Error Email
       </Button>
-      {accessToken && refreshToken && (
+      {accessToken && (
         <Button
           className="w-96"
           icon="document-open"
           onClick={() => {
             window.open(
-              `${nextRoot()}/auth/token?t=${accessToken}&r=${refreshToken}&url=/`,
+              `${nextRoot()}/auth/token?t=${accessToken}&url=/`,
               "_blank",
             );
           }}
diff --git a/apps/website/app/components/auth/LoginWithToken.tsx b/apps/website/app/components/auth/LoginWithToken.tsx
@@ -12,9 +12,7 @@ export const LoginWithToken = () => {
   const [url] = useState(searchParams.get("url"));
   const [done, setDone] = useState(false);
   const [error, setError] = useState<string | null>(
-    accessToken === null || refreshToken == null
-      ? "Please provide tokens"
-      : null,
+    accessToken === null ? "Please provide access token" : null,
   );
 
   const login = useCallback(async () => {
@@ -23,7 +21,8 @@ export const LoginWithToken = () => {
       const response = await client.auth.setSession({
         /* eslint-disable @typescript-eslint/naming-convention */
         access_token: accessToken!,
-        refresh_token: refreshToken!,
+        // in most cases, do not provide the refresh token! The access token will expire after 1h
+        refresh_token: refreshToken ?? "faketoken",
         /* eslint-enable @typescript-eslint/naming-convention */
       });
       if (response.error) {
