Skip to content

feat(auth): add configurable MaxAge to auth cookies#9

Open
jld-adriano wants to merge 3 commits intomasterfrom
devin/1769048207-fix-cookie-expiration
Open

feat(auth): add configurable MaxAge to auth cookies#9
jld-adriano wants to merge 3 commits intomasterfrom
devin/1769048207-fix-cookie-expiration

Conversation

@jld-adriano
Copy link
Copy Markdown

@jld-adriano jld-adriano commented Jan 22, 2026

Tracking issue

Related to frequent re-authentication issues reported by users (flyte/grafana.heph sessions expiring quickly)

Why are the changes needed?

Users were experiencing frequent re-authentication prompts because auth cookies were created without MaxAge or Expires attributes. This made them session cookies that browsers could clear at any time (e.g., when closing the browser, or based on browser-specific session management policies).

By adding a configurable MaxAge to cookies, sessions can persist for a specified duration (e.g., matching the token lifespan of 168h), significantly reducing login frequency.

What changes were proposed in this pull request?

  1. Added MaxAge field (type config.Duration) to CookieSettings struct
  2. Added maxAge field to CookieManager struct to store the configured value
  3. Updated NewSecureCookie function to accept a maxAge time.Duration parameter
  4. When maxAge > 0, the cookie's MaxAge attribute is set accordingly
  5. Updated all NewSecureCookie call sites to pass the configured maxAge
  6. Updated tests to pass 0 for maxAge (backward compatible - session cookie behavior)

Important for reviewers: This PR only adds the capability. To enable persistent cookies, the helm values need to be updated separately to set cookieSettings.maxAge (e.g., 168h to match token lifespan).

How was this patch tested?

  • Existing unit tests updated and passing (TestSecureCookieLifecycle, TestGetHTTPRequestCookieToMetadataHandler)
  • Ran go test -v -run "TestSecureCookieLifecycle|TestGetHTTPRequestCookieToMetadataHandler" ./... in flyteadmin/auth

Labels

  • added: New maxAge configuration option for auth cookies

Check all the applicable boxes

  • I updated the documentation accordingly.
  • All new and existing tests passed.
  • All commits are signed-off.

Human Review Checklist

  • Verify config.Duration is the appropriate type for MaxAge field
  • Confirm the maxAge > 0 condition handles edge cases correctly
  • Check if any other cookie creation paths were missed
  • Track helm values update as a follow-up task

Link to Devin run: https://app.devin.ai/sessions/6bf80d9947cd470cba4919b461a7176f
Requested by: carlos

@jld-adriano @devin-ai-integration
feat(auth): add configurable MaxAge to auth cookies
d85429e 
Add MaxAge field to CookieSettings config to allow cookies to persist
across browser sessions. Previously, cookies were created without
MaxAge/Expires attributes, making them session cookies that browsers
could clear at any time.

This change:
- Adds MaxAge field to CookieSettings struct (config.Duration type)
- Updates CookieManager to store and use maxAge
- Updates NewSecureCookie to accept maxAge parameter and set it on cookies
- Updates all cookie creation calls to pass maxAge

When maxAge is set (e.g., to match token lifespan like 168h), cookies
will persist for that duration, reducing the frequency of re-authentication.

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@devin-ai-integration
Copy link
Copy Markdown

devin-ai-integration Bot commented Jan 22, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

jld-adriano and others added 2 commits January 22, 2026 02:33
@jld-adriano @devin-ai-integration
chore: update generated config flags for MaxAge field
c9073ab 
Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@jld-adriano @devin-ai-integration
fix: match generated config_flags.go whitespace
a97ff0f 
Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jld-adriano jld-adriano

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jld-adriano