Add custom JWT TTL (#4234)

resolves #4224
2026-04-25 17:15:37 +02:00 · 2025-08-01 10:39:38 -07:00
parent c218a0dfe3
commit a9d9f9cdfd
5 changed files with 14 additions and 13 deletions
--- a/docker/.env.example
+++ b/docker/.env.example
@@ -5,6 +5,7 @@ GID='1000'
 # SIG_KEY='passphrase' # Please generate random string at least 32 chars long.
 # SIG_SALT='salt' # Please generate random string at least 32 chars long.
 # JWT_SECRET="my-random-string-for-seeding" # Only needed if AUTH_TOKEN is set. Please generate random string at least 12 chars long.
+# JWT_EXPIRY="30d" # (optional) https://docs.anythingllm.com/configuration#custom-ttl-for-sessions

 ###########################################
 ######## LLM API SElECTION ################
--- a/server/.env.example
+++ b/server/.env.example
@@ -1,5 +1,6 @@
 SERVER_PORT=3001
 JWT_SECRET="my-random-string-for-seeding" # Please generate random string at least 12 chars long.
+# JWT_EXPIRY="30d" # (optional) https://docs.anythingllm.com/configuration#custom-ttl-for-sessions
 SIG_KEY='passphrase' # Please generate random string at least 32 chars long.
 SIG_SALT='salt' # Please generate random string at least 32 chars long.

--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -202,18 +202,18 @@ function systemEndpoints(app) {
          existingUser?.id
        );

-        // Check if the user has seen the recovery codes
+        // Generate a session token for the user then check if they have seen the recovery codes
+        // and if not, generate recovery codes and return them to the frontend.
+        const sessionToken = makeJWT(
+          { id: existingUser.id, username: existingUser.username },
+          process.env.JWT_EXPIRY
+        );
        if (!existingUser.seen_recovery_codes) {
          const plainTextCodes = await generateRecoveryCodes(existingUser.id);
-
-          // Return recovery codes to frontend
          response.status(200).json({
            valid: true,
            user: User.filterFields(existingUser),
-            token: makeJWT(
-              { id: existingUser.id, username: existingUser.username },
-              "30d"
-            ),
+            token: sessionToken,
            message: null,
            recoveryCodes: plainTextCodes,
          });
@@ -223,10 +223,7 @@ function systemEndpoints(app) {
        response.status(200).json({
          valid: true,
          user: User.filterFields(existingUser),
-          token: makeJWT(
-            { id: existingUser.id, username: existingUser.username },
-            "30d"
-          ),
+          token: sessionToken,
          message: null,
        });
        return;
@@ -259,7 +256,7 @@ function systemEndpoints(app) {
          valid: true,
          token: makeJWT(
            { p: new EncryptionManager().encrypt(password) },
-            "30d"
+            process.env.JWT_EXPIRY
          ),
          message: null,
        });
--- a/server/models/temporaryAuthToken.js
+++ b/server/models/temporaryAuthToken.js
@@ -86,7 +86,7 @@ const TemporaryAuthToken = {
      // Create a new session token for the user valid for 30 days
      const sessionToken = makeJWT(
        { id: token.user.id, username: token.user.username },
-        "30d"
+        process.env.JWT_EXPIRY
      );

      return { sessionToken, token, error: null };
--- a/server/utils/helpers/updateENV.js
+++ b/server/utils/helpers/updateENV.js
@@ -1094,6 +1094,8 @@ function dumpENV() {
    ...Object.values(KEY_MAPPING).map((values) => values.envKey),
    // Manually Add Keys here which are not already defined in KEY_MAPPING
    // and are either managed or manually set ENV key:values.
+    "JWT_EXPIRY",
+
    "STORAGE_DIR",
    "SERVER_PORT",
    // For persistent data encryption