Skip to content

feat(auth): add configurable max session duration #3091

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
rossnelson wants to merge 3 commits into
base: refresh-token
Choose a base branch
from
Draft

feat(auth): add configurable max session duration #3091

rossnelson wants to merge 3 commits into from

Conversation

@rossnelson
Copy link
Collaborator

@rossnelson rossnelson commented Jan 13, 2026

Summary

  • Add server-side enforcement of maximum session duration independent of token expiry
  • When maxSessionDuration is configured, users must re-authenticate after the specified time even if tokens are still refreshable
  • Add Claude Code skills for auth testing documentation

Changes

  • Add MaxSessionDuration field to Auth config struct
  • Set session_start cookie on login callback to track session age
  • Validate session duration in auth middleware, return 401 when exceeded
  • Configure OIDC test server session TTL to match for local testing
  • Document testing scenarios in config files

Test plan

  • Run pnpm dev:with-auth to start local auth environment
  • Login and verify session_start cookie is set
  • Wait for token expiry (~60s) and verify automatic refresh works
  • Wait for session expiry (~2m) and verify redirect to SSO login
  • Verify user must re-enter credentials at OIDC provider

@rossnelson
feat(auth): add configurable max session duration
77c2452 
Add server-side enforcement of maximum session duration independent of
token expiry. When maxSessionDuration is set, users must re-authenticate
after the configured time even if tokens are still refreshable.

- Add MaxSessionDuration to Auth config struct
- Set session_start cookie on login callback
- Validate session age in auth middleware
- Configure OIDC server session TTL to match for testing
- Document testing scenarios in config files
@rossnelson
chore: add .claude settings and skills to version control
c17218c 
Add Claude Code configuration and skills for project-specific guidance:
- settings.local.json: local Claude settings
- skills/auth-testing: auth token refresh testing documentation
- skills/svelte-migrate: Svelte migration guidance
@rossnelson rossnelson requested a review from a team as a code owner January 13, 2026 19:52
@rossnelson rossnelson requested review from andrewzamojc and removed request for a team January 13, 2026 19:52
@vercel
Copy link

vercel bot commented Jan 13, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
holocene Ready Ready Preview, Comment Jan 13, 2026 8:03pm

@rossnelson rossnelson marked this pull request as draft January 13, 2026 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewzamojc andrewzamojc Awaiting requested review from andrewzamojc andrewzamojc is a code owner automatically assigned from temporalio/frontend-engineering

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rossnelson