From 5607affa59ceb0253f6cbfe80f9fe9020a554317 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dafydd=20Ll=C5=B7r=20Pearson?= <DafyddLlyr@gmail.com>
Date: Sat, 25 Jan 2025 20:50:28 +0000
Subject: [PATCH] fix: Drop expiry from internal only JWT (#4207)

---
 api.planx.uk/modules/auth/service.ts                 | 5 +++--
 api.planx.uk/modules/auth/strategy/google.ts         | 4 ++--
 api.planx.uk/modules/auth/strategy/microsoft-oidc.ts | 4 ++--
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/api.planx.uk/modules/auth/service.ts b/api.planx.uk/modules/auth/service.ts
index 5259bf3fe2..e7b5792619 100644
--- a/api.planx.uk/modules/auth/service.ts
+++ b/api.planx.uk/modules/auth/service.ts
@@ -3,7 +3,9 @@ import { $api } from "../../client/index.js";
 import type { User, Role } from "@opensystemslab/planx-core/types";
 import type { HasuraClaims, JWTData } from "./types.js";
 
-export const buildJWT = async (email: string): Promise<string | undefined> => {
+export const buildUserJWT = async (
+  email: string,
+): Promise<string | undefined> => {
   const user = await $api.user.getByEmail(email);
   if (!user) return;
 
@@ -28,7 +30,6 @@ export const buildJWTForAPIRole = () =>
       },
     },
     process.env.JWT_SECRET!,
-    { expiresIn: "24h" },
   );
 
 const generateHasuraClaimsForUser = (user: User): HasuraClaims => ({
diff --git a/api.planx.uk/modules/auth/strategy/google.ts b/api.planx.uk/modules/auth/strategy/google.ts
index b266a8a163..f1384a3e24 100644
--- a/api.planx.uk/modules/auth/strategy/google.ts
+++ b/api.planx.uk/modules/auth/strategy/google.ts
@@ -1,5 +1,5 @@
 import { Strategy as GoogleStrategy } from "passport-google-oauth20";
-import { buildJWT } from "../service.js";
+import { buildUserJWT } from "../service.js";
 
 export const googleStrategy = new GoogleStrategy(
   {
@@ -11,7 +11,7 @@ export const googleStrategy = new GoogleStrategy(
     const { email } = profile._json;
     if (!email) throw Error("Unable to authenticate without email");
 
-    const jwt = await buildJWT(email);
+    const jwt = await buildUserJWT(email);
 
     if (!jwt) {
       return done({
diff --git a/api.planx.uk/modules/auth/strategy/microsoft-oidc.ts b/api.planx.uk/modules/auth/strategy/microsoft-oidc.ts
index 82fcc437b1..ac1b4944b5 100644
--- a/api.planx.uk/modules/auth/strategy/microsoft-oidc.ts
+++ b/api.planx.uk/modules/auth/strategy/microsoft-oidc.ts
@@ -6,7 +6,7 @@ import type {
   StrategyVerifyCallbackReq,
 } from "openid-client";
 import { Strategy } from "openid-client";
-import { buildJWT } from "../service.js";
+import { buildUserJWT } from "../service.js";
 
 export const MICROSOFT_OPENID_CONFIG_URL =
   "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";
@@ -70,7 +70,7 @@ const verifyCallback: StrategyVerifyCallbackReq<Express.User> = async (
     return done(new Error("Unable to authenticate without email"));
   }
 
-  const jwt = await buildJWT(email);
+  const jwt = await buildUserJWT(email);
   if (!jwt) {
     return done({
       status: 404,