Skip to content

feat: allow custom jwt duration#11009

Merged
TorstenDittmann merged 3 commits into1.8.xfrom
feat-allow-custom-jwt-duration
Dec 22, 2025
Merged

feat: allow custom jwt duration#11009
TorstenDittmann merged 3 commits into1.8.xfrom
feat-allow-custom-jwt-duration

Conversation

@TorstenDittmann
Copy link
Copy Markdown
Contributor

@TorstenDittmann TorstenDittmann commented Dec 22, 2025

What does this PR do?

  • allowing custom jwt duration, basically allowing for accounts what we already do here:

Checklist

  • Have you read the Contributing Guidelines on issues?
  • If the PR includes a change to an API's metadata (desc, label, params, etc.), does it also include updated API specs and example docs?

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Dec 22, 2025
edited
Loading

📝 Walkthrough

Walkthrough

Adds an optional duration input to JWT creation and session-alert endpoints in app/controllers/api/account.php. The parameter is validated with Utopia\Validator\Range(0, 3600), defaults to 900 seconds, and is passed into JWT generation and the sendSessionAlert flow to control token expiry. The change adds use Utopia\Validator\Range; and wires the duration through handler logic. A new end-to-end test tests a short custom duration (5s), verifies access before expiry, waits past expiry, and expects the token to be rejected.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Files to inspect:
    • app/controllers/api/account.php — route input declaration, Range validator usage, default value, and correct propagation into JWT creation and sendSessionAlert.
    • JWT creation code paths — verify expiry field is set from duration in all relevant branches.
    • sendSessionAlert flow — ensure the duration parameter is accepted and applied.
    • tests/e2e/Services/Account/AccountCustomClientTest.php — confirm timing-based assertions are robust and use tolerances appropriate for CI environments.
  • Pay attention to validation boundaries (0 and 3600), default behavior when duration is omitted, and compatibility with existing clients.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: adding support for custom JWT duration in account endpoints, matching the primary objective of the PR.
Description check ✅ Passed The description explains the purpose (enabling custom JWT duration for accounts) and references equivalent existing implementations in other parts of the codebase, demonstrating alignment with the changeset.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat-allow-custom-jwt-duration
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cd824fa and 37e76e5.

📒 Files selected for processing (1)
  • app/controllers/api/account.php
🧰 Additional context used
🧬 Code graph analysis (1)
app/controllers/api/account.php (1)
src/Appwrite/GraphQL/Types/Mapper.php (1)
  • param (255-363)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)
  • GitHub Check: E2E Service Test (VCS)
  • GitHub Check: E2E Service Test (Projects)
  • GitHub Check: E2E Service Test (Sites)
  • GitHub Check: E2E Service Test (Realtime)
  • GitHub Check: E2E Service Test (GraphQL)
  • GitHub Check: E2E Service Test (Databases/Legacy)
  • GitHub Check: E2E Service Test (Console)
  • GitHub Check: E2E Service Test (FunctionsSchedule)
  • GitHub Check: E2E Service Test (Locale)
  • GitHub Check: E2E Service Test (Databases/TablesDB)
  • GitHub Check: E2E Service Test (Functions)
  • GitHub Check: E2E Service Test (Site Screenshots)
  • GitHub Check: Unit Test
  • GitHub Check: E2E Service Test (Dev Keys)
  • GitHub Check: E2E General Test
  • GitHub Check: Benchmark
  • GitHub Check: CodeQL
  • GitHub Check: Linter
  • GitHub Check: scan
🔇 Additional comments (3)
app/controllers/api/account.php (3)

71-71: LGTM: Import added for Range validator.

The import is correctly added to support the new duration parameter validation.

2964-2981: LGTM: Duration parameter properly wired through.

The duration parameter is now correctly:

  1. Injected into the action function signature (line 2964)
  2. Passed to the JWT constructor (line 2971)

This resolves the previous issue where the parameter was declared but never used. The implementation correctly allows callers to customize JWT expiration duration.

78-207: Note: AI summary inconsistency regarding sendSessionAlert.

The AI-generated summary states that sendSessionAlert was "extended to accept a duration parameter," but no such changes are visible in the function signature (line 78) or its implementation. The only duration-related changes in this file are for the JWT creation endpoint (lines 2957-2981).

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Dec 22, 2025
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/appwrite/appwrite/@appwrite.io/console@11009

commit: 37e76e5

@github-actions
Copy link
Copy Markdown

github-actions bot commented Dec 22, 2025
edited
Loading

Security Scan Results for PR

Docker Image Scan Results

Package Version Vulnerability Severity
libpng 1.6.51-r0 CVE-2025-66293 HIGH
libpng-dev 1.6.51-r0 CVE-2025-66293 HIGH

Source Code Scan Results

🎉 No vulnerabilities found!

coderabbitai[bot]
coderabbitai bot reviewed Dec 22, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
app/controllers/api/account.php (2)

2964-2981: Critical: JWT duration is hardcoded and doesn't use the parameter.

The action function is missing the duration parameter in its signature (line 2964), and the JWT constructor on line 2971 uses a hardcoded value of 900 instead of the duration parameter. This means the feature doesn't work at all.

🔎 Proposed fix 
-    ->action(function (Response $response, User $user, Store $store, ProofsToken $proofForToken) {
+    ->action(function (int $duration, Response $response, User $user, Store $store, ProofsToken $proofForToken) {
         $sessionId = $user->sessionVerify($store->getProperty('secret', ''), $proofForToken);
 
         if (!$sessionId) {
             throw new Exception(Exception::USER_SESSION_NOT_FOUND);
         }
 
-        $jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 900, 0);
+        $jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', $duration, 0);
 
         $response
             ->setStatusCode(Response::STATUS_CODE_CREATED)

2957-2981: Fix unused duration parameter in JWT creation.

The duration parameter validation is consistent across account.php, projects.php, and users.php (all use Range(0, 3600) with default 900), but account.php has a critical bug: the JWT constructor hardcodes 900 instead of using the $duration parameter. At line 2971, change new JWT(..., 900, 0) to new JWT(..., $duration, 0) to match the implementations in projects.php (line 1731) and users.php (line 2647).

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3e96f9c and 96b11b0.

⛔ Files ignored due to path filters (6)
  • app/config/specs/open-api3-latest-client.json is excluded by !app/config/specs/**
  • app/config/specs/open-api3-latest-console.json is excluded by !app/config/specs/**
  • app/config/specs/open-api3-latest-server.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-latest-client.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-latest-console.json is excluded by !app/config/specs/**
  • app/config/specs/swagger2-latest-server.json is excluded by !app/config/specs/**
📒 Files selected for processing (1)
  • app/controllers/api/account.php
🧰 Additional context used
🧬 Code graph analysis (1)
app/controllers/api/account.php (1)
src/Appwrite/GraphQL/Types/Mapper.php (1)
  • param (255-363)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Setup & Build Appwrite Image
  • GitHub Check: Setup & Build SDK
  • GitHub Check: scan
🔇 Additional comments (1)
app/controllers/api/account.php (1)

71-71: LGTM - Import correctly added.

The Range validator import is appropriate for validating the JWT duration parameter.

coderabbitai[bot]
coderabbitai bot reviewed Dec 22, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
tests/e2e/Services/Account/AccountCustomClientTest.php (1)

1890-1940: Consider increasing the timing buffer to improve test reliability.

The test creates a JWT with a 5-second duration, then sleeps for 6 seconds before verifying expiration. While this 1-second buffer should work in most cases, it could lead to flaky test failures if API calls experience delays.

Consider increasing the buffer for more robust testing:

-        ]), [
-            'duration' => 5
-        ]);
+        ]), [
+            'duration' => 10
+        ]);

...

-        // Wait for JWT to expire
-        \sleep(6);
+        // Wait for JWT to expire (duration + 3 second buffer)
+        sleep(13);

Minor style note: Line 1929 uses \sleep(6) while other parts of the file use sleep() (which is imported on line 15). For consistency, consider using sleep(6) without the backslash.

</review_comment_end>

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 96b11b0 and cd824fa.

📒 Files selected for processing (1)
  • tests/e2e/Services/Account/AccountCustomClientTest.php
🧰 Additional context used
🧬 Code graph analysis (1)
tests/e2e/Services/Account/AccountCustomClientTest.php (2)
tests/e2e/Client.php (1)
  • Client (8-342)
tests/e2e/Scopes/Scope.php (1)
  • getProject (150-150)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)
  • GitHub Check: E2E Service Test (Webhooks)
  • GitHub Check: E2E Service Test (Storage)
  • GitHub Check: E2E Service Test (Health)
  • GitHub Check: E2E Service Test (Teams)
  • GitHub Check: E2E Service Test (Functions)
  • GitHub Check: E2E Service Test (Account)
  • GitHub Check: E2E Service Test (Projects)
  • GitHub Check: E2E Service Test (Databases/TablesDB)
  • GitHub Check: E2E Service Test (Locale)
  • GitHub Check: E2E Service Test (FunctionsSchedule)
  • GitHub Check: E2E Service Test (Avatars)
  • GitHub Check: E2E Service Test (Console)
  • GitHub Check: Unit Test
  • GitHub Check: E2E Service Test (Site Screenshots)
  • GitHub Check: E2E Service Test (Dev Keys)
  • GitHub Check: E2E General Test
  • GitHub Check: Benchmark
  • GitHub Check: Setup & Build SDK
  • GitHub Check: Linter
  • GitHub Check: scan

@github-actions
Copy link
Copy Markdown

github-actions bot commented Dec 22, 2025

✨ Benchmark results

  • Requests per second: 1,175
  • Requests with 200 status code: 211,523
  • P99 latency: 0.166083847

⚡ Benchmark Comparison

Metric This PR Latest version
RPS 1,175 1,258
200 211,523 226,486
P99 0.166083847 0.161612284

@TorstenDittmann TorstenDittmann merged commit 4df8157 into 1.8.x Dec 22, 2025
72 of 73 checks passed
@TorstenDittmann TorstenDittmann deleted the feat-allow-custom-jwt-duration branch December 22, 2025 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@loks0n loks0n loks0n approved these changes

+1 more reviewer

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TorstenDittmann @loks0n