Merge pull request #510 from supertokens/fix/access-token-expiry

rishabhpoddar · web-flow · commit d512c595f06e · 2024-06-24T19:19:26.000+05:30
fix: update access token cookie expiry to 1 year
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [0.23.0] - 2024-06-24
+
+### Breaking change
+
+- The access token cookie expiry has been changed from 100 years to 1 year due to some browsers capping the maximum expiry at 400 days. No action is needed on your part.
+
 ## [0.22.1] - 2024-06-10
 - Remove `user_context` being `None` check in querier delete function to make it consistent with other non GET functions
 
diff --git a/setup.py b/setup.py
@@ -83,7 +83,7 @@
 
 setup(
     name="supertokens_python",
-    version="0.22.1",
+    version="0.23.0",
     author="SuperTokens",
     license="Apache 2.0",
     author_email="team@supertokens.com",
diff --git a/supertokens_python/constants.py b/supertokens_python/constants.py
@@ -14,7 +14,7 @@
 from __future__ import annotations
 
 SUPPORTED_CDI_VERSIONS = ["3.0"]
-VERSION = "0.22.1"
+VERSION = "0.23.0"
 TELEMETRY = "/telemetry"
 USER_COUNT = "/users/count"
 USER_DELETE = "/user/remove"
@@ -28,5 +28,5 @@
 API_VERSION = "/apiversion"
 API_VERSION_HEADER = "cdi-version"
 DASHBOARD_VERSION = "0.7"
-HUNDRED_YEARS_IN_MS = 3153600000000
+ONE_YEAR_IN_MS = 31536000000
 RATE_LIMIT_STATUS_CODE = 429
diff --git a/supertokens_python/recipe/session/cookie_and_header.py b/supertokens_python/recipe/session/cookie_and_header.py
@@ -37,7 +37,7 @@
     available_token_transfer_methods,
 )
 from ...logger import log_debug_message
-from supertokens_python.constants import HUNDRED_YEARS_IN_MS
+from supertokens_python.constants import ONE_YEAR_IN_MS
 
 if TYPE_CHECKING:
     from supertokens_python.framework.request import BaseRequest
@@ -391,11 +391,11 @@ def _set_access_token_in_response(
         config,
         "access",
         access_token,
-        # We set the expiration to 100 years, because we can't really access the expiration of the refresh token everywhere we are setting it.
+        # We set the expiration to 1 year, because we can't really access the expiration of the refresh token everywhere we are setting it.
         # This should be safe to do, since this is only the validity of the cookie (set here or on the frontend) but we check the expiration of the JWT anyway.
         # Even if the token is expired the presence of the token indicates that the user could have a valid refresh
-        # Setting them to infinity would require special case handling on the frontend and just adding 10 years seems enough.
-        get_timestamp_ms() + HUNDRED_YEARS_IN_MS,
+        # Some browsers now cap the maximum expiry at 400 days, so we set it to 1 year, which should suffice.
+        get_timestamp_ms() + ONE_YEAR_IN_MS,
         transfer_method,
         request,
         user_context,
@@ -410,7 +410,7 @@ def _set_access_token_in_response(
             config,
             "access",
             access_token,
-            get_timestamp_ms() + HUNDRED_YEARS_IN_MS,
+            get_timestamp_ms() + ONE_YEAR_IN_MS,
             "header",
             request,
             user_context,
