Whoops, actually include createdAt in auth tokens

Right, I had that idea while writing the comment, then forgot to actually do it lmao This is important for session expiration: we don't want you to be able to hold onto an old cookie for an account that you should be locked out of. Updating the `createdAt` value requires a new signature, so the client can't forge when this token was created, so we can be confident in our ability to expire them.
2022-08-17 01:07:47 -07:00 · 2022-08-17 01:07:47 -07:00 · 28060d4d16
commit 28060d4d16
parent c478e6d88c
1 changed files with 4 additions and 1 deletions
--- a/src/server/auth-by-db.js
+++ b/src/server/auth-by-db.js
@ -72,7 +72,10 @@ export async function getAuthToken({ username, password }, db) {
        `.env file.`
    );
  }
-  const unsignedAuthToken = { userId: impressId };
+  const unsignedAuthToken = {
+    userId: impressId,
+    createdAt: new Date().toISOString(),
+  };
  const authTokenHmac = createHmac(
    "sha256",
    process.env["DTI_AUTH_TOKEN_SECRET"]