From b23d879760bac2920a480aef36a4e178d06ebf43 Mon Sep 17 00:00:00 2001
From: anovazzi1 <otavio2204@gmail.com>
Date: Fri, 8 Mar 2024 13:01:14 -0300
Subject: [PATCH] Add expiration time for access and refresh token cookies

---
 src/backend/langflow/api/v1/login.py           | 5 +++++
 src/backend/langflow/services/settings/auth.py | 7 ++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/backend/langflow/api/v1/login.py b/src/backend/langflow/api/v1/login.py
index 2055c18c2..da5150ea5 100644
--- a/src/backend/langflow/api/v1/login.py
+++ b/src/backend/langflow/api/v1/login.py
@@ -40,6 +40,7 @@ async def login_to_get_access_token(
             httponly=auth_settings.REFRESH_HTTPONLY,
             samesite=auth_settings.REFRESH_SAME_SITE,
             secure=auth_settings.REFRESH_SECURE,
+            expires=auth_settings.EXPIRES_REFRESH,
         )
         response.set_cookie(
             "access_token_lf",
@@ -47,6 +48,7 @@ async def login_to_get_access_token(
             httponly=auth_settings.ACCESS_HTTPONLY,
             samesite=auth_settings.ACCESS_SAME_SITE,
             secure=auth_settings.ACCESS_SECURE,
+            expires=auth_settings.EXPIRES_ACCESS,
         )
         return tokens
     else:
@@ -72,6 +74,7 @@ async def auto_login(
             httponly=auth_settings.ACCESS_HTTPONLY,
             samesite=auth_settings.ACCESS_SAME_SITE,
             secure=auth_settings.ACCESS_SECURE,
+            expires=auth_settings.EXPIRES_ACCESS,
         )
         return tokens
 
@@ -98,6 +101,7 @@ async def refresh_token(request: Request, response: Response, settings_service=D
             httponly=auth_settings.REFRESH_TOKEN_HTTPONLY,
             samesite=auth_settings.REFRESH_SAME_SITE,
             secure=auth_settings.REFRESH_SECURE,
+            expires=auth_settings.EXPIRES_REFRESH,
         )
         response.set_cookie(
             "access_token_lf",
@@ -105,6 +109,7 @@ async def refresh_token(request: Request, response: Response, settings_service=D
             httponly=auth_settings.ACCESS_HTTPONLY,
             samesite=auth_settings.ACCESS_SAME_SITE,
             secure=auth_settings.ACCESS_SECURE,
+            expires=auth_settings.EXPIRES_ACCESS,
         )
         return tokens
     else:
diff --git a/src/backend/langflow/services/settings/auth.py b/src/backend/langflow/services/settings/auth.py
index 8463d0781..34576b0a1 100644
--- a/src/backend/langflow/services/settings/auth.py
+++ b/src/backend/langflow/services/settings/auth.py
@@ -1,3 +1,4 @@
+import datetime
 import secrets
 from pathlib import Path
 from typing import Optional
@@ -36,7 +37,11 @@ class AuthSettings(BaseSettings):
     NEW_USER_IS_ACTIVE: bool = False
     SUPERUSER: str = DEFAULT_SUPERUSER
     SUPERUSER_PASSWORD: str = DEFAULT_SUPERUSER_PASSWORD
-
+    
+    EXPIRES_ACCESS:datetime = 60*60
+    """The expiration time of the access token cookie."""
+    EXPIRES_REFRESH:datetime = 60*60*12
+    """The expiration time of the refresh token cookie."""
     REFRESH_SAME_SITE: str = "none"
     """The SameSite attribute of the refresh token cookie."""
     REFRESH_SECURE: bool = True