Skip to content

Conversation

rolodato
Copy link

@rolodato rolodato commented Aug 14, 2025

This PR makes it so that JWTs are created with an exp claim of 5 minutes into the future. JWTs are only used to obtain the session, and should be short-lived.

On https://embedding-demo.metabase.com/, the iframe gets generated with a token like the following (truncated):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MTAwMDAwMCwiZmlyc3RfbmFtZSI6Ik1hcnkiLCJsYXN0X25hbWUiOiJTbWl0aCIsImVtYWlsIjoibWFyeS5zbWl0aEBtZXRhYmFzZS5jb20iLCJvY2N1cGF0aW9uIjoidGVhY2hlciIsImF2YXRhciI6Ii9pbWFnZXMvbWFyeS1zbWl0aC5wbmciLCJncm91cHMiOlsiUHJvZmVzc29ycyJdLCJwcm9mZXNzb3JfaWQiOjEsImV4cGlyZXNJbiI6IjIgZGF5cyIsImlhdCI6MTc1NTIwMjU2MX0.1t

This decodes to:

{
  "id": 1000000,
  "first_name": "Mary",
  "last_name": "Smith",
  "email": "[email protected]",
  "occupation": "teacher",
  "avatar": "/images/mary-smith.png",
  "groups": [
    "Professors"
  ],
  "professor_id": 1,
  "expiresIn": "2 days",
  "iat": 1755202561
}

The expiresIn claim has no meaning to Metabase or to the JWT spec. Because there is no exp claim in this token, Metabase will consider it as never expiring, and it can be re-used forever to obtain a new session until the JWT secret is rotated.

@rolodato rolodato requested a review from losrebellos August 14, 2025 20:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant