Commit 5494630
Fix: align access cookie lifetime to refresh cookie (Codex P1 finding)
The auth_cookies module set ACCESS_TOKEN_MAX_AGE to 7 days while
REFRESH_TOKEN_MAX_AGE was 30 days. The docstring on those constants
claims "the access token mirrors [refresh] so a quiet tab doesn't
lose only half its credentials" — but the actual values didn't
mirror.
Real-world failure mode:
* Session restore (resolve_authenticated_context) requires BOTH
cookies present.
* A user returning after 7+ days (but within 30) has a valid
refresh cookie but a purged access cookie.
* Restore rejects the half-credentialed pair and forces a fresh
OAuth re-login, defeating the "stay signed in" UX the 30-day
refresh window was meant to deliver.
Fix matches the docstring's stated intent: both cookies live for
30 days. The COOKIE's max_age governs browser purge time, NOT the
JWT's validity — Supabase rotates the access JWT on every restore
using the still-valid refresh JWT, so the inside-the-cookie token
being temporally stale is fine and expected.
Codex P1 finding on PR #2 (May 2026). Auth-test suite (14 tests)
still green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 48a6f6b commit 5494630
1 file changed
Lines changed: 14 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
22 | 22 | | |
23 | 23 | | |
24 | 24 | | |
25 | | - | |
26 | | - | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
27 | 28 | | |
28 | | - | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
29 | 40 | | |
30 | 41 | | |
31 | 42 | | |
| |||
0 commit comments