From cfeb6bd502a0f69483db35c37217b8f738c5d029 Mon Sep 17 00:00:00 2001 From: Nicholas Wallace Date: Sat, 24 Jan 2026 18:57:40 -0700 Subject: [PATCH] Fix: grace period enable statement --- server/auth/TokenManager.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/server/auth/TokenManager.js b/server/auth/TokenManager.js index 63463c4b5..12a92903c 100644 --- a/server/auth/TokenManager.js +++ b/server/auth/TokenManager.js @@ -183,15 +183,15 @@ class TokenManager { * @param {import('../models/User')} user * @param {import('express').Request} req * @param {import('express').Response} res - * @param {boolean} noGracePeriod - whether to skip the grace period + * @param {boolean} gracePeriod - whether to use the grace period * @returns {Promise<{ accessToken:string, refreshToken:string }>} */ - async rotateTokensForSession(session, user, req, res, noGracePeriod = false) { + async rotateTokensForSession(session, user, req, res, gracePeriod = true) { // Generate new tokens const newAccessToken = this.generateTempAccessToken(user) let newRefreshToken = this.generateRefreshToken(user) - if (noGracePeriod) { + if (gracePeriod) { // Set grace period of old refresh token in case of race condition in token rotation. // This grace period may need to be longer if fetching the user data takes longer due to large progress objects session.lastRefreshToken = session.refreshToken @@ -423,7 +423,7 @@ class TokenManager { // So rotate token for current session const currentSession = await Database.sessionModel.findOne({ where: { refreshToken: currentRefreshToken } }) if (currentSession) { - const newTokens = await this.rotateTokensForSession(currentSession, user, req, res, true) + const newTokens = await this.rotateTokensForSession(currentSession, user, req, res, false) // Invalidate all sessions for the user except the current one await Database.sessionModel.destroy({