Add AUTH_TOKEN_LIFETIME_SECONDS support to example app#328
Conversation
|
@spaicycookies Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
There was a problem hiding this comment.
Code Review
This pull request introduces support for configuring the authentication token lifetime via the AUTH_TOKEN_LIFETIME_SECONDS environment variable, including corresponding integration tests. Feedback on the changes highlights duplicate dependency declarations introduced in bun.lock and suggests using Number.isInteger instead of Number.isFinite when parsing the token lifetime to prevent non-integer values from causing issues with JWT expiration claims.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| "@types/bcryptjs": "^3.0.0", | ||
| "@types/bcryptjs": "^3.0.0", | ||
| "@types/better-sqlite3": "^7.6.13", | ||
| "@types/big.js": "^6.2.2", | ||
| "@types/bun": "latest", | ||
| "@types/express": "^5.0.6", | ||
| "@types/express": "^5.0.6", | ||
| "@types/jsonwebtoken": "^9.0.10", | ||
| "@types/jsonwebtoken": "^9.0.10", | ||
| "@types/node": "^25.5.0", | ||
| "@types/supertest": "^7.2.0", | ||
| "@types/supertest": "^7.2.0", |
There was a problem hiding this comment.
There are duplicate dependency declarations in devDependencies (e.g., @types/bcryptjs, @types/express, @types/jsonwebtoken, and @types/supertest). This can cause parsing issues or inconsistencies in the lockfile. Please remove the duplicate entries.
"@types/bcryptjs": "^3.0.0",
"@types/better-sqlite3": "^7.6.13",
"@types/big.js": "^6.2.2",
"@types/bun": "latest",
"@types/express": "^5.0.6",
"@types/jsonwebtoken": "^9.0.10",
"@types/node": "^25.5.0",
"@types/supertest": "^7.2.0",
| "supertest": "^7.2.2", | ||
| "supertest": "^7.2.2", |
| const parsedValue = Number(rawValue); | ||
| if (!Number.isFinite(parsedValue) || parsedValue <= 0) { | ||
| return undefined; | ||
| } |
There was a problem hiding this comment.
The auth token lifetime is parsed as any finite number, which allows float values (e.g., 3600.5). Since JWT expiration claims (exp and iat) must be integers representing epoch seconds, allowing non-integer values can lead to issues with token generation or verification in strict JWT libraries. It is safer to enforce that the configured lifetime is a positive integer.
const parsedValue = Number(rawValue);
if (!Number.isInteger(parsedValue) || parsedValue <= 0) {
return undefined;
}0b3d426 to
0573959
Compare
What does this PR do?
Exposes the SDK's configurable access token lifetime to the example app through an
AUTH_TOKEN_LIFETIME_SECONDSenv var. When unset (or invalid), the SDK default (3600s) is preserved.How to test?
bun run test— newexample/express-app AUTH_TOKEN_LIFETIME_SECONDSsuites assert the default lifetime when the var is absent and60swhen it is set (decoded from the issued JWTexp/iat).Checklist
bun run testandbun run lintlocally.Issue Reference
Closes #274