From 5a03dd10c85abb01c5cd1809ce51a8fba2012c3b Mon Sep 17 00:00:00 2001 From: Paul Asjes Date: Thu, 12 Dec 2024 11:08:54 +0100 Subject: [PATCH] Use a non-default ttl with iron-session (#1186) ## Description iron-session has a default ttl of 14 days, which is problematic in the edge case where a user has set their WorkOS sessions to expire > 14 days. In that scenario, iron-session will expire first, making unsealing impossible which means you can't refresh the session. This fix changes the default ttl to 0, which sets it to the max of ~10 years. ## Documentation Does this require changes to the WorkOS Docs? E.g. the [API Reference](https://workos.com/docs/reference) or code snippets need updates. ``` [ ] Yes ``` If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required. --- src/common/iron-session/edge-iron-session-provider.ts | 8 +++++++- src/common/iron-session/web-iron-session-provider.ts | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/common/iron-session/edge-iron-session-provider.ts b/src/common/iron-session/edge-iron-session-provider.ts index ffcbc60cb..90f7cd60c 100644 --- a/src/common/iron-session/edge-iron-session-provider.ts +++ b/src/common/iron-session/edge-iron-session-provider.ts @@ -11,7 +11,13 @@ import { export class EdgeIronSessionProvider extends IronSessionProvider { /** @override */ async sealData(data: unknown, options: SealDataOptions): Promise { - return sealData(data, options); + // The iron-session default ttl is 14 days, which can be problematic if the WorkOS session is configured to be > 14 days. + // In that case the session expires and can't be refreshed, so we set the ttl to 0 to set it to the max possible value. + const sealOptions = { + ...options, + ttl: 0, + }; + return sealData(data, sealOptions); } /** @override */ diff --git a/src/common/iron-session/web-iron-session-provider.ts b/src/common/iron-session/web-iron-session-provider.ts index 1e13cbe95..bacad11cb 100644 --- a/src/common/iron-session/web-iron-session-provider.ts +++ b/src/common/iron-session/web-iron-session-provider.ts @@ -11,7 +11,13 @@ import { export class WebIronSessionProvider extends IronSessionProvider { /** @override */ async sealData(data: unknown, options: SealDataOptions): Promise { - return sealData(data, options); + // The iron-session default ttl is 14 days, which can be problematic if the WorkOS session is configured to be > 14 days. + // In that case the session expires and can't be refreshed, so we set the ttl to 0 to set it to the max possible value. + const sealOptions = { + ...options, + ttl: 0, + }; + return sealData(data, sealOptions); } /** @override */