fix: amm-1931 JWT token reduced expiry timing

[snehar-nd]

📋 Description

JIRA ID: AMM-1931

✅ Type of Change

• 🐞 Bug fix (non-breaking change which resolves an issue)

ℹ️ Additional Information

Before the expiry time has set to 1 day
jwt.access.expiration=86400000
cookie.setMaxAge(60 * 60 * 24); // 1 day expiration

Changes made:
Expiry time has been set to 8 hours.
#Jwt Token configuration
jwt.access.expiration=28800000
cookie.setMaxAge(60 * 60 * 8); // 8 hours expiration

Summary by CodeRabbit

• Chores
  • Reduced JWT session token expiration times from 24 hours to 8 hours.

[coderabbitai]

Walkthrough

JWT token expiration times are reduced from 24 hours to 8 hours across two configuration locations: the cookie Max-Age in CookieUtil.java and the access token lifetime in application.properties.

Changes

Cohort / File(s)	Summary
JWT Token Expiration Configuration src/main/java/com/iemr/common/utils/CookieUtil.java, src/main/resources/application.properties	JWT cookie Max-Age reduced from 86,400s (24h) to 28,800s (8h); JWT access token expiration property reduced from 86,400,000ms (24h) to 28,800,000ms (8h)

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Simple numerical configuration changes with consistent pattern across two files
• No logic modifications or complex interactions to evaluate
• Consider verifying impact on user session behavior and system assumptions about token lifetime

Possibly related PRs

• cookieutil change #171: Modifies cookie handling in CookieUtil with changes to JWT cookie behavior
• Expire jwttoken time increased to one day #213: Adjusts JWT access token expiration configuration in application.properties (inverse direction—increases to 24h)
• Update application.properties #208: Modifies the same JWT access token expiration property in application.properties

Suggested reviewers

• drtechie

Poem

🐰 Eight hours sweet, not twenty-four,
Tokens now refresh with more,
Security's dance, a shorter beat,
Fresh auth keeps hackers off their feet! 🔐

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: reducing JWT token expiry timing from 1 day to 8 hours, with JIRA reference for traceability.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sn/wasa

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cca9524 and 19239f8.

📒 Files selected for processing (2)

• src/main/java/com/iemr/common/utils/CookieUtil.java (1 hunks)
• src/main/resources/application.properties (1 hunks)

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: sandipkarmakar3
Repo: PSMRI/Common-API PR: 162
File: src/main/java/com/iemr/common/utils/CookieUtil.java:40-47
Timestamp: 2025-02-21T07:42:36.497Z
Learning: In the Common-API project's CookieUtil class, JWT cookies are configured with SameSite=None to support cross-origin requests, which is required for the project's CORS functionality.

Learnt from: sandipkarmakar3
Repo: PSMRI/Common-API PR: 162
File: src/main/java/com/iemr/common/utils/CookieUtil.java:52-66
Timestamp: 2025-02-21T07:43:03.828Z
Learning: In the Common-API project's CookieUtil class, the current implementation of addJwtTokenToCookie using both response.addCookie() and manual Set-Cookie header has been tested and confirmed to work as required for their use case. URL encoding of the JWT token is not necessary.

📚 Learning: 2025-02-03T12:41:59.244Z

Learnt from: indraniBan
Repo: PSMRI/Common-API PR: 138
File: src/main/environment/common_uat.properties:0-0
Timestamp: 2025-02-03T12:41:59.244Z
Learning: In the Common-API project, JWT secret configuration should use environment variables (e.g., `jwt.secret=env.JWT_SECRET_KEY@`) across all environments for better security.

Applied to files:

• src/main/resources/application.properties

📚 Learning: 2025-02-21T07:43:03.828Z

Learnt from: sandipkarmakar3
Repo: PSMRI/Common-API PR: 162
File: src/main/java/com/iemr/common/utils/CookieUtil.java:52-66
Timestamp: 2025-02-21T07:43:03.828Z
Learning: In the Common-API project's CookieUtil class, the current implementation of addJwtTokenToCookie using both response.addCookie() and manual Set-Cookie header has been tested and confirmed to work as required for their use case. URL encoding of the JWT token is not necessary.

Applied to files:

• src/main/java/com/iemr/common/utils/CookieUtil.java

📚 Learning: 2025-02-21T07:42:36.497Z

Learnt from: sandipkarmakar3
Repo: PSMRI/Common-API PR: 162
File: src/main/java/com/iemr/common/utils/CookieUtil.java:40-47
Timestamp: 2025-02-21T07:42:36.497Z
Learning: In the Common-API project's CookieUtil class, JWT cookies are configured with SameSite=None to support cross-origin requests, which is required for the project's CORS functionality.

Applied to files:

• src/main/java/com/iemr/common/utils/CookieUtil.java

🔇 Additional comments (2)

src/main/java/com/iemr/common/utils/CookieUtil.java (1)

38-39: Cookie expiration correctly reduced to 8 hours.

The change from 60 * 60 * 24 (1 day) to 60 * 60 * 8 (8 hours) correctly implements the reduced expiration time. The value of 28,800 seconds aligns perfectly with the JWT access token expiration of 28,800,000 milliseconds configured in application.properties.

The comment has been appropriately updated, and the manual Set-Cookie header construction at line 55 will correctly reflect this updated max-age value.

src/main/resources/application.properties (1)

173-173: JWT access token expiration correctly updated to 8 hours.

The change from 86400000ms (24 hours) to 28800000ms (8 hours) is mathematically correct and no other hardcoded references to the old 24-hour expiration time exist in the codebase.

The session expiry time (iemr.session.expiry.time=7200, 2 hours) is intentionally shorter than the JWT expiration. With iemr.extend.expiry.time=true enabled, sessions extend on activity while JWT enforces a hard 8-hour limit—a standard security pattern.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[snehar-nd]

@coderabbitai
Please Review PR

[coderabbitai]

@snehar-nd, I'll review the changes in this PR right away. This appears to be a security configuration update to reduce JWT token expiry from 1 day to 8 hours.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.