Highlights
- Configurable JWT expiration — session TTL is now configurable via
JWT_EXPIRES_INenv var (authoritative ceiling) or Admin → Settings → Security. Default is 30 days (previously 24 hours). Resolves issue #800. - Working
/auth/refreshendpoint — accepts valid-or-recently-expired tokens within a configurable grace window (JWT_REFRESH_GRACE_SECONDS, default 7 days), re-verifies HS256 via Web Crypto, re-validates the user against the database, and issues a fresh token. Users no longer forced to re-login daily. - Admin Session / JWT card — new live card under Admin → Settings → Security for adjusting JWT TTL and refresh grace without editing env vars.
- Documentation updates —
docs/authentication.md, OTP plugin README, and the doc site authentication page now describe the configuration surface and refresh semantics.
Breaking Changes
- The default JWT/auth cookie lifetime changed from 24 hours → 30 days. If you were relying on the 24-hour default for session expiry, set
JWT_EXPIRES_IN=24h(or any value you prefer) to preserve the previous behavior.
Installation
npm create sonicjs@latest my-appOr update existing project:
npm install @sonicjs-cms/core@2.17.0Full changelog: v2.16.1...v2.17.0