Persist visitor auth token in cookie for as long as the token is valid (#2931)

Author: SamyPesse

biome.json

@@ -67,7 +67,12 @@
                 "useThrowOnlyError": "error"
             },
             "suspicious": {
-                "noConsole": "warn",
+                "noConsole": {
+                    "level": "warn",
+                    "options": {
+                        "allow": ["assert", "error", "warn"]
+                    }
+                },
                 "noExplicitAny": "warn",
                 "noImplicitAnyLet": "warn",
                 "noConfusingVoidType": "warn",

bun.lock

@@ -77,6 +77,7 @@
         "framer-motion": "^10.16.14",
         "js-cookie": "^3.0.5",
         "jsontoxml": "^1.0.1",
+        "jwt-decode": "^4.0.0",
         "katex": "^0.16.9",
         "mathjax": "^3.2.2",
         "mdast-util-to-markdown": "^2.1.2",
@@ -2251,6 +2252,8 @@
 
     "jws": ["[email protected]", "", { "dependencies": { "jwa": "^1.4.1", "safe-buffer": "^5.0.1" } }, "sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA=="],
 
+    "jwt-decode": ["[email protected]", "", {}, "sha512-+KJGIyHgkGuIq3IEBNftfhW/LfWhXUIY6OmyVWjliu5KH1y0fw7VQ8YndE2O4qZdMSd9SqbnC8GOcZEy0Om7sA=="],
+
     "katex": ["[email protected]", "", { "dependencies": { "commander": "^8.3.0" }, "bin": { "katex": "cli.js" } }, "sha512-RQrI8rlHY92OLf3rho/Ts8i/XvjgguEjOkO1BEXcU3N8BqPpSzBNwV/G0Ukr+P/l3ivvJUE/Fa/CwbS6HesGNQ=="],
 
     "keyv": ["[email protected]", "", { "dependencies": { "json-buffer": "3.0.0" } }, "sha512-9ykJ/46SN/9KPM/sichzQ7OvXyGDYKGTaDlKMGCAlg2UK8KRy4jb0d8sFc+0Tt0YYnThq8X2RZgCg74RPxgcVA=="],

packages/gitbook/package.json

@@ -64,7 +64,8 @@
         "tailwind-shades": "^1.1.2",
         "url-join": "^5.0.0",
         "usehooks-ts": "^3.1.0",
-        "ai": "^4.1.46"
+        "ai": "^4.1.46",
+        "jwt-decode": "^4.0.0"
     },
     "devDependencies": {
         "@argos-ci/playwright": "^3.10.0",

packages/gitbook/src/lib/visitor-token.ts

@@ -1,3 +1,4 @@
+import { type JwtPayload, jwtDecode } from 'jwt-decode';
 import type { NextRequest } from 'next/server';
 import hash from 'object-hash';
 
@@ -82,6 +83,18 @@ export function getResponseCookiesForVisitorAuth(
     basePath: string,
     visitorTokenLookup: VisitorTokenLookup
 ): ResponseCookies {
+    if (!visitorTokenLookup) {
+        return {};
+    }
+
+    let decoded: JwtPayload;
+    try {
+        decoded = jwtDecode(visitorTokenLookup.token);
+    } catch (error) {
+        console.error('Error decoding visitor token', error);
+        return {};
+    }
+
     return {
         /**
          * If the visitor token has been retrieve from the URL, or if its a VA cookie and the basePath is the same, set it
@@ -99,7 +112,7 @@ export function getResponseCookiesForVisitorAuth(
                           httpOnly: true,
                           sameSite: process.env.NODE_ENV === 'production' ? 'none' : undefined,
                           secure: process.env.NODE_ENV === 'production',
-                          maxAge: 7 * 24 * 60 * 60,
+                          maxAge: getVisitorAuthCookieMaxAge(decoded),
                       },
                   },
               }
@@ -212,3 +225,21 @@ function findVisitorAuthCookieForBasePath(
         undefined
     );
 }
+
+/**
+ * Get the max age to store a visitor auth token in a cookie.
+ * We want to store the token for as long as it's valid, but at least 1 minute.
+ * If an invalid token is passed to the API, the API will return a redirect to the auth flow.
+ */
+function getVisitorAuthCookieMaxAge(decoded: JwtPayload): number {
+    const defaultMaxAge = 7 * 24 * 60 * 60; // 7 days
+    const minMaxAge = 60; // 1 min
+    const exp = decoded.exp;
+
+    if (typeof exp === 'number') {
+        const now = new Date().getTime();
+        return Math.max(exp - now, minMaxAge);
+    }
+
+    return defaultMaxAge;
+}