Token lasts less than a day, how can I make the auth token last longer?
#Auth token persistence
candid carbon
ripe tendonBOT
Hi @candid carbon. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
You can adjust the duration of the auth token by modifying the jwt.durationMs and session.inactiveDurationMs properties in your convex/auth.ts file. The jwt.durationMs property sets the JWT lifetime, while the session.inactiveDurationMs sets the refresh token lifetime.
Here's an example of how you can set these properties:
session: {
inactiveDurationMs: 1000 * 60 * 60 * 24 * 30, // 30 days
},
jwt: {
durationMs: 1000 * 60 * 60 * 24, // 24 hours
},
In this example, the JWT token will last for 24 hours, and the refresh token will last for 30 days. Adjust these values as needed for your application.
Remember that increasing the token lifetime can have security implications, as a stolen token will be valid for a longer period of time. It's important to find a balance between convenience for your users and security for your application.
For more information, you can refer to this Discord support thread (https://discord.com/channels/1019350475847499849/1270776251732201522).
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
candid carbon
@ripe tendon what's the refresh token?
ripe tendonBOT
Let me check the knowledge base for you. One moment! :books:
A refresh token is a special kind of token that can be used to obtain a renewed access token. This is useful in situations where the access token has expired and you want to get a new one without requiring the user to re-authenticate.
In the context of Convex, the refresh token is used to maintain a session, including across page loads. If the access token expires, the refresh token can be used to get a new one. However, each refresh token can only be used once, and using an "old" refresh token will invalidate the whole session. This mechanism is known as refresh token reuse detection.
The refresh token and the access token are made available to the client JavaScript and are stored in localStorage by default. However, you can choose a different storage mechanism via the storage prop.
For more information, you can refer to this section on Client secrets storage (https://labs.convex.dev/auth/security#client-secrets-storage) in the Convex documentation.
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
candid carbon
@ripe tendon what's the default values for jwt and refresh token
ripe tendonBOT
Let me check the knowledge base for you. One moment! :books:
The default values for JWT and refresh token durations in Convex are as follows:
-
JWT (
jwt.durationMs): The default validity period for a JWT after it is initially signed is 1 hour. -
Refresh Token (
session.inactiveDurationMsandsession.totalDurationMs): The default duration for a user session without the user being active or without the user reauthenticating is 30 days.
Here's how these properties are represented in the Convex Auth configuration:
session: {
inactiveDurationMs: 1000 * 60 * 60 * 24 * 30, // 30 days
totalDurationMs: 1000 * 60 * 60 * 24 * 30, // 30 days
},
jwt: {
durationMs: 1000 * 60 * 60, // 1 hour
},
You can find more details in the ConvexAuthConfig section (https://labs.convex.dev/auth/api_reference/server#convexauthconfig) of the Convex documentation.
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
candid carbon
@ripe tendon what happens after the jwt is expired
ripe tendonBOT
Let me check the knowledge base for you. One moment! :books:
When a JWT (JSON Web Token) expires, it can no longer be used for authentication. In the context of Convex, if the JWT expires, the client will no longer be able to authenticate requests to the Convex backend.
However, Convex has a mechanism to handle this situation. If the JWT expires, Convex will attempt to use the refresh token to obtain a new JWT. This process is done automatically by Convex Auth. If the refresh token is valid, a new JWT is issued and the session continues without requiring the user to re-authenticate.
If the refresh token is also expired or invalid, the user will be considered unauthenticated and will need to sign in again to obtain a new JWT and refresh token.
It's important to note that the refresh token has a longer lifespan than the JWT. This allows the user to remain authenticated over longer periods of inactivity.
For more information, you can refer to these Discord support threads (https://discord.com/channels/1019350475847499849/1270776251732201522) and Convex documentation (https://labs.convex.dev/auth/advanced#session-validity).
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
candid carbon
@ripe tendon because my app asks me to reauthenticate after a couple of hours
ripe tendonBOT
Let me check the knowledge base for you. One moment! :books:
If your application is asking for reauthentication after a couple of hours, it's likely that the JWT (JSON Web Token) is expiring. By default, the JWT in Convex has a lifespan of 1 hour. After this period, the JWT expires and can no longer be used for authentication.
However, Convex should automatically use the refresh token to obtain a new JWT when the current one expires. If this is not happening, there might be an issue with the refresh token or with the way your application is handling the authentication state.
Here are a few things you can check:
-
Refresh Token Expiry: Ensure that the refresh token is not expiring before the JWT. By default, the refresh token in Convex has a lifespan of 30 days.
-
Session Handling: Make sure your application is correctly handling the session state. If a session is invalidated (deleted), the user is not automatically signed out until the JWT expires. If you want session validity to be reflected immediately, you need to load the current session in your queries/mutations/actions, and make sure your client can handle the state where the JWT is valid but the session is not.
-
Reauthentication Mechanism: For critical operations, you should always require either direct reauthentication or recent authentication. You can use the current session's
_creationTimeto determine how recently the user has signed in.
If you're still facing issues, it might be helpful to review your authentication setup and ensure it aligns with the Convex authentication guide (https://labs.convex.dev/auth/advanced#session-validity).
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
candid carbon
@ripe tendon in what function of convexauth does the refresh token get set?
ripe tendonBOT
Let me check the knowledge base for you. One moment! :books:
The refresh token is set in the setAuth function of the Convex client. This function is available in different classes of the Convex client, including ConvexClient, BaseConvexClient, and ConvexHttpClient.
Here's an example from the ConvexClient class:
setAuth(fetchToken, onChange?): void
In this function, fetchToken is an async function that returns the JWT-encoded OpenID Connect Identity Token. This function will be called automatically again if a token expires. If the token cannot be retrieved (for example, when the user's rights were permanently revoked), fetchToken should return null.