simonfranken/timetracker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Replace IDP token passthrough with backend-issued JWT for iOS auth

Browse Source 
iOS clients now exchange the OIDC authorization code for a backend-signed
HS256 JWT via POST /auth/token. All subsequent API requests authenticate
using this JWT as a Bearer token, verified locally — no per-request IDP
call is needed. Web frontend session-cookie auth is unchanged.
This commit is contained in:
Simon Franken
2026-02-19 18:45:03 +01:00
parent 1ca76b0fec
commit 946cd35832
10 changed files with 662 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
backend/src/config/index.ts
View File

@@ -25,6 +25,13 @@ export const config = {
maxAge: 24 * 60 * 60 * 1000, // 24 hours
},
jwt: {
// Dedicated secret for backend-issued JWTs. Falls back to SESSION_SECRET so
// existing single-secret deployments work without any config change.
secret: process.env.JWT_SECRET || process.env.SESSION_SECRET || "default-secret-change-in-production",
expiresIn: 30 * 24 * 60 * 60, // 30 days in seconds
},
cors: {
origin: process.env.APP_URL || "http://localhost:5173",
credentials: true,