Bug #18: JWT Access Token Has Excessively Long Expiration Time (~1 Year) - aKinderWellness Testing and Quality analysis - Redmine

Actions

Copy link

Bug #18

closed

JWT Access Token Has Excessively Long Expiration Time (~1 Year)

Added by Vivek Kumar about 1 month ago. Updated about 1 month ago.

Status:

Closed

Priority:

Normal

Assignee:

Start date:

03/16/2026

Due date:

% Done:

100%

Estimated time:

Description

The JWT access token issued after authentication has an excessively long expiration period of approximately one year.
Such a long-lived access token increases security risk because if the token is compromised, an attacker could maintain unauthorized access for an extended period without needing to re-authenticate.
This risk becomes more critical for Admin / Super Admin accounts, where long-lived tokens may allow prolonged unauthorized administrative access.

Steps to Reproduce

Login as an user and obtain the JWT token.
Decode the JWT token using any JWT decoder (e.g., jwt.io).
Observe the iat (issued at) and exp (expiration) values in the token payload.

{
  "_id": "603c4a2f9644be25e93e1089",
  "email": "admin@admin.com",
  "city": "Framingham",
  "type": "Admin",
  "roleId": "68d5408b64e37faa29056dda",
  "role": "Super Admin",
  "iat": 1773642944,
  "exp": 1805199870
}

Actual Result
The JWT token expiration (exp) is set approximately one year after issuance.

Expected Result
Access tokens should have a shorter expiration period to reduce security risks.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

aKinderWellness Testing and Quality analysis

Custom queries

Bug #18

JWT Access Token Has Excessively Long Expiration Time (~1 Year)

Updated by Adhi Narayanan about 1 month ago

Updated by Vivek Kumar about 1 month ago

Updated by Adhi Narayanan about 1 month ago

Updated by Vivek Kumar about 1 month ago