fix: Actually Fix Token Time (#6215)

2026-02-26 09:43:19 -05:00 · 2025-09-21 19:51:19 -05:00
parent b27977fbdf
commit cec6d2c5ec
5 changed files with 48 additions and 25 deletions
--- a/mealie/core/security/providers/auth_provider.py
+++ b/mealie/core/security/providers/auth_provider.py
@@ -30,8 +30,8 @@ class AuthProvider[T](metaclass=abc.ABCMeta):
        settings = get_app_settings()

        duration = timedelta(hours=settings.TOKEN_TIME)
-        if remember_me and remember_me_duration > duration:
-            duration = remember_me_duration
+        if remember_me:
+            duration = max(remember_me_duration, duration)

        return AuthProvider.create_access_token({"sub": str(user.id)}, duration)

--- a/mealie/core/settings/settings.py
+++ b/mealie/core/settings/settings.py
@@ -123,6 +123,17 @@ class AppSettings(AppLoggingSettings):
    TOKEN_TIME: int = 48
    """time in hours"""

+    @field_validator("TOKEN_TIME")
+    @classmethod
+    def validate_token_time(cls, v: int) -> int:
+        if v < 1:
+            raise ValueError("TOKEN_TIME must be at least 1 hour")
+        # If TOKEN_TIME is unreasonably high (e.g. hundreds of years), JWT encoding
+        # can overflow, so we set the max to 10 years (87600 hours).
+        if v > 87600:
+            raise ValueError("TOKEN_TIME is too high; maximum is 87600 hours (10 years)")
+        return v
+
    SECRET: str
    SESSION_SECRET: str