fix: expire initial jwt based on session creation time

staaldraad · staaldraad · commit e1baf44a2255 · 2026-03-27T18:02:03.000+01:00
diff --git a/internal/tokens/service.go b/internal/tokens/service.go
@@ -676,7 +676,7 @@ func (s *Service) GenerateAccessToken(r *http.Request, tx *storage.Connection, p
 		// if user has mfa enabled and the session has not yet been upgraded
 		// and Limit duration of AAL1 sessions is enabled
 		// expiresAt should be set to the maximum duration for low aal sessions
-		expiresAt = issuedAt.Add(*config.Sessions.AllowLowAAL)
+		expiresAt = session.CreatedAt.UTC().Add(*config.Sessions.AllowLowAAL)
 	} else {
 		expiresAt = issuedAt.Add(time.Second * time.Duration(config.JWT.Exp))
 	}
diff --git a/internal/tokens/service_test.go b/internal/tokens/service_test.go
@@ -1237,7 +1237,7 @@ func TestGenerateAccessTokenAllowLowAAL(t *testing.T) {
 			AuthenticationMethod: models.PasswordGrant,
 		})
 		require.NoError(t, err)
-		require.Equal(t, now.Add(allowLowAAL).Unix(), expiresAt)
+		require.Equal(t, session.CreatedAt.UTC().Add(allowLowAAL).Unix(), expiresAt)
 	})
 
 	t.Run("AAL2 session for MFA user uses standard JWT expiry", func(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -676,7 +676,7 @@ func (s Service) GenerateAccessToken(r http.Request, tx *storage.Connection, p`
`676`	`676`	`// if user has mfa enabled and the session has not yet been upgraded`
`677`	`677`	`// and Limit duration of AAL1 sessions is enabled`
`678`	`678`	`// expiresAt should be set to the maximum duration for low aal sessions`
`679`		`- expiresAt = issuedAt.Add(*config.Sessions.AllowLowAAL)`
	`679`	`+ expiresAt = session.CreatedAt.UTC().Add(*config.Sessions.AllowLowAAL)`
`680`	`680`	`} else {`
`681`	`681`	`expiresAt = issuedAt.Add(time.Second * time.Duration(config.JWT.Exp))`
`682`	`682`	`}`