Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request]: Customizable session.fresh / active period expiration #1630

Closed
wobedi opened this issue Jul 11, 2024 · 8 comments
Closed

[Feature Request]: Customizable session.fresh / active period expiration #1630

wobedi opened this issue Jul 11, 2024 · 8 comments
Labels
feature request New feature requests

Comments

@wobedi
Copy link

wobedi commented Jul 11, 2024
edited
Loading

Package

lucia

Description

Currently the session is refreshed if the user is active within the second half of their expiry period:
https://github.com/lucia-auth/lucia/blob/1210baf16a1754f8a3deba962f1be94dd047072e/packages/lucia/src/core.ts#L135C9-L135C35

It would be great if this could be customized.

E.g. for our use case I would love to customize this behavior to "refresh the session on every visit" instead of "only refresh the session if user happens visit in second half of their expiry period"
@wobedi wobedi added the feature request New feature requests label Jul 11, 2024
@doroved
Copy link

doroved commented Jul 18, 2024

E.g. for our use case I would love to customize this behavior to "refresh the session on every visit" instead of "only refresh the session if user happens visit in second half of their expiry period"

To put it simply, you want a session with no expiration date.

@pilcrowonpaper
Copy link
Member

I'm not planning to implement this now or in current version, especially if we go with #1639. You're probably better off implementing your own session management

@pilcrowonpaper pilcrowonpaper closed this as not planned Won't fix, can't repro, duplicate, stale Jul 24, 2024
@jshear
Copy link

jshear commented Jul 24, 2024
edited
Loading

I'm not planning to implement this now or in current version, especially if we go with #1639. You're probably better off implementing your own session management

What is the connection between user-defined adapters and this issue? Sorry if it's obvious, I'm just getting familiar with this library and trying to make sure I have a good understanding.

Even in the current V4, Lucia's validateSession is still handling expiration updates.

If the plan is to keep this logic within Lucia, I agree that a config could be useful to give control to the dev. For example, a extensionGracePeriod config where the expiration is extended if session.expiresAt.getTime() - Date.now() < extensionGracePeriod

@wobedi
Copy link
Author

wobedi commented Jul 24, 2024
edited
Loading

E.g. for our use case I would love to customize this behavior to "refresh the session on every visit" instead of "only refresh the session if user happens visit in second half of their expiry period"

To put it simply, you want a session with no expiration date.

Not quite - I want a session that expires if the user does not visit at any point in time before the expiry datetime

I'm not planning to implement this now or in current version, especially if we go with #1639. You're probably better off implementing your own session management

Fair. We might try to just build our own little "session refresh" logic for this and use Lucia otherwise. Will update here with result if we do that.

@pilcrowonpaper
Copy link
Member

@jshear

What is the connection between user-defined adapters and this issue?

I'm not talking about adapters here; rather I think you'd be better off ditching Lucia completely and implementing sessions from scratch

@wobedi
Copy link
Author

wobedi commented Jul 24, 2024
edited
Loading

@jshear

What is the connection between user-defined adapters and this issue?
@pilcrowonpaper
I'm not talking about adapters here; rather I think you'd be better off ditching Lucia completely and implementing sessions from scratch

Seems drastic - would prefer to just configure refresh behavior. Loving Lucia otherwise.
Happy to try my hand at raising a PR for this, but only if you generally agree with the direction of course.

@pilcrowonpaper
Copy link
Member

To be honest, I just don't like callbacks.

import { SessionState } from "lucia";

const lucia = new Lucia(adapter, {
  checkSession: (session) => {
    if (Date.now() >= session.expiresAt.getTime()) {
      return SessionState.Invalid;
    }
    return SessionState.UpdateExpiration;
  },
})

You probably can update the expiration when retrieving the session too.

UPDATE session SET expires_at = expires_at + 2592000 RETURNING *;

@wobedi
Copy link
Author

wobedi commented Jul 25, 2024
edited
Loading

@pilcrowonpaper
To be honest, I just don't like callbacks.

I guess I wasn't thinking of the API as a callback.

I like the direction that @jshear hinted at above - something declarative like:

const lucia = new Lucia(adapter, {
    sessionExpiresIn: new TimeSpan(30, 'd'),
    refreshSessionAfter: new TimeSpan(1, 'd'),
}

You could continue to default refreshSessionAfter to half the time span of the expiry.
And devs could choose to refresh it earlier or later.

(happy to try my hand at a PR for this - if you agree with the direction)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request New feature requests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@doroved @wobedi @jshear @pilcrowonpaper