Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increase oauth state cookie lifetime #1894

Open
dokterbob opened this issue Feb 14, 2025 · 0 comments
Open

Increase oauth state cookie lifetime #1894

dokterbob opened this issue Feb 14, 2025 · 0 comments
Labels
auth Pertaining to authentication. enhancement New feature or request needs-triage

Comments

@dokterbob
Copy link
Collaborator

Is your feature request related to a problem? Please describe.
During OAuth logins, Chainlit sets a state cookie in the browser, which is used to prevent attackers from logging in on behalf of other users by stealing the URL users are being redirected to after OAuth provider login.

The lifetime of this cookie is currently hardcoded to 3 minutes.

When using email to login, this is often not enough, severely degrading user experience.

Describe the solution you'd like
Make the state lifetime cookie configurable.

Describe alternatives you've considered

  1. Setting it to default session lifetime: unnecessarily decreases security.
  2. Increase the default: same.

Additional context
Users experiencing this will see a rather unfriendly 'Unauthorized' JSON, the UX of which deserves a separate issue.

Image

Possibly related:
@dosubot dosubot bot added auth Pertaining to authentication. enhancement New feature or request labels Feb 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth Pertaining to authentication. enhancement New feature or request needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dokterbob