extendSessionOnUse not working as expected

[magnacartatron]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest version of Parse Server.

Issue Description

Issue with 'extendSessionOnUse'
I don't understand how this feature works.
So this is where the magic happens and the session gets extended.

 const lastUpdated = new Date((_session = session) === null || _session === void 0 ? void 0 : _session.updatedAt);
      const yesterday = new Date();
      yesterday.setDate(yesterday.getDate() - 1);
      if (lastUpdated > yesterday || !session) {
        return;
      }
      const expiresAt = config.generateSessionExpiresAt();
      await new _RestWrite.default(config, master(config), '_Session', {
        objectId: session.objectId
      }, {
        expiresAt: Parse._encode(expiresAt)
      }).execute();

But looking at this piece of code it takes lastUpdated and yesterday and if lastUpdated is greater than yesterday it returns.

So if I've doing 60 minute sessions, well this will never actually extend the session. So for this to work a session needs to be at least 24 hours.

This isn't documented anywhere and it's counterintuitive.

Am I missing something.

Steps to reproduce

Enable extendSessionOnUse.

Set session to 60 minutes.

Perform actions for authenticated user and look at session expiry. it doesn't update.

Now set session to 48 hours.

Perform actions and notice that session expiry does update.

Actual Outcome

I expect Session expiry to update for any session duration.

Expected Outcome

I expect Session expiry to update for any session duration.

Environment

NodeJS 21

Server

• Parse Server version: `6.4
• Operating system: Ubuntu 22
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): local

Database

• System (MongoDB or Postgres): `MongoDB
• Database version: 6.0
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): local

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): REST
• SDK version: REST

Logs

N/A

[parse-github-assistant]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[mman]

Last time I tried to use this I came to the same conclusion (IIRC). I think not updating the session expiration on every use is actually a good design decision, as it would hit the Mongo with session object write with every authenticated read. But it may be wise to perhaps make this configurable or invent some better update magic.

For example, if the session expiration is set to N days, it would be wise to extend the use every day.

If the session expiration is set to N minutes, it may be wise to extend every minute.

if session expires in N hours (but less then a day), it may be wise to update every hour.

so hardcoding 24 hours probably makes sense for longer session expirations in days, and does not work at all for sessions with expirations in hours or minutes.

[mtrezza]

Please feel free to open a PR; likely a simple fix, just remove the yesterday var.

[vivekjoshi556]

This is still open to work on right. Can I work on this?

[mman]

@vivekjoshi556 Please do work on this, I will beta test for you. I have a good idea above how to fix it without incurring additional writes on Mongo, but I will not have a time to look at it in the near future!

[mtrezza]

@vivekjoshi556 Sure, please go ahead.