Files
multica/server/internal/middleware/cloudfront.go
yushen 3f8a492290 fix(auth): make JWT and CloudFront cookie expiration configurable
Replace hardcoded 72-hour auth timeout with configurable JWT_EXPIRATION
env var (default: 30 days). This prevents users from being logged out
every 3 days. CloudFront cookie expiration is now synced with JWT
expiration automatically.

Closes MUL-151
2026-04-01 18:21:18 +08:00

29 lines
855 B
Go

package middleware
import (
"net/http"
"time"
"github.com/multica-ai/multica/server/internal/auth"
)
// RefreshCloudFrontCookies is middleware that refreshes CloudFront signed cookies
// on authenticated requests when the cookie is missing (expired or first request
// after login). This prevents 403s from the CDN when cookies expire before the
// user's session does.
func RefreshCloudFrontCookies(signer *auth.CloudFrontSigner) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
if signer == nil {
return next
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if _, err := r.Cookie("CloudFront-Policy"); err != nil {
for _, cookie := range signer.SignedCookies(time.Now().Add(auth.JWTExpiration())) {
http.SetCookie(w, cookie)
}
}
next.ServeHTTP(w, r)
})
}
}