The default cookie maxAge is 1000 years

[gutenye]

Bug report

Describe the bug

This line defines the default maxAge for the cookie

auth-helpers/packages/shared/src/supabase-server.ts

Line 28 in 1c07049

maxAge = 1000 * 60 * 60 * 24 * 365

The maxAge unit is second (not milliseconds), so that's 1000 years 😱. I think this is a bug, expect one year?

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. Go to '…'
2. Click on '…'
3. Scroll down to '…'
4. See error

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

• OS: [e.g. macOS, Windows]
• Browser (if applies) [e.g. chrome, safari]
• Version of supabase-js: [e.g. 6.0.2]
• Version of Node.js: [e.g. 10.10.0]

Additional context

Add any other context about the problem here.

[SaileshBechar]

Hi, i'm pretty sure this is expected. The maxAge should appear indefinite for good UX source

[david-plugge]

It´s probably not expected as the 1000 comes before all other numbers and therefore should represent the ms.
But as @SaileshBechar mentioned, this isn´t an issue as the access_token has a set lifetime anyway. But we should still correct this mistake, thanks for reporting.

[hmnd]

This should not have been closed. Fixed in #765

[kangmingtay]

Hi @hmnd, it's fine for the cookie max-age to be infinite because we use the cookie to store the session (access token) which is a JWT that contains an exp claim.

Setting the max-age of the cookie to a value that's less than the exp of the JWT can cause weird random logout behaviour because the cookie is removed before supabase auth can refresh the session (also highlighted by @SaileshBechar)