Project

General

Profile

Actions
Copy link

Bug #18

closed

JWT Access Token Has Excessively Long Expiration Time (~1 Year)

Added by Vivek Kumar about 1 month ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Start date:
03/16/2026
Due date:
% Done:

100%

Estimated time:

Description

The JWT access token issued after authentication has an excessively long expiration period of approximately one year.
Such a long-lived access token increases security risk because if the token is compromised, an attacker could maintain unauthorized access for an extended period without needing to re-authenticate.
This risk becomes more critical for Admin / Super Admin accounts, where long-lived tokens may allow prolonged unauthorized administrative access.

Steps to Reproduce

  1. Login as an user and obtain the JWT token.
  2. Decode the JWT token using any JWT decoder (e.g., jwt.io).
  3. Observe the iat (issued at) and exp (expiration) values in the token payload.
{
  "_id": "603c4a2f9644be25e93e1089",
  "email": "admin@admin.com",
  "city": "Framingham",
  "type": "Admin",
  "roleId": "68d5408b64e37faa29056dda",
  "role": "Super Admin",
  "iat": 1773642944,
  "exp": 1805199870
}

Actual Result
The JWT token expiration (exp) is set approximately one year after issuance.

Expected Result
Access tokens should have a shorter expiration period to reduce security risks.

Actions
Copy link
 #1

Updated by Adhi Narayanan about 1 month ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

We have Done like
Access token expires → refresh silently → user stays logged in

🎯 This EXACTLY matches your requirement

✔ Auto refresh when possible
✔ Auto logout when refresh fails

🧠 Final Architecture
🔐 Tokens

Access Token → short-lived (2 min) // for deevelopment we have made it to 2 min

Refresh Token → long-lived (7 days, stored in httpOnly cookie)

🔄 Flow (What happens internally)

User logs in → gets access token + refresh cookie

API request → uses access token

Access token expires → backend sends 401

Frontend intercepts → calls /refresh-token

New access token received

Original request retried automatically

User never notices anything

🚪 What happens when user logs out?

👉 When user clicks Logout, you must:

✅ 1. Delete refresh token from DB
✅ 2. Clear refresh token cookie
✅ 3. Remove access token from frontend (memory)

Actions
Copy link
 #2

Updated by Vivek Kumar about 1 month ago

  • Status changed from Resolved to In Progress
Actions
Copy link
 #3

Updated by Adhi Narayanan about 1 month ago

  • Status changed from In Progress to Resolved
Actions
Copy link
 #4

Updated by Vivek Kumar about 1 month ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF