From cc21016e6d60488c31162c2e399dd929fdb25c0e Mon Sep 17 00:00:00 2001 From: Pranav Date: Tue, 16 Sep 2025 00:11:05 -0700 Subject: [PATCH] feat: Add support for customizing expiry of widget token (#12446) This PR is part of https://github.com/chatwoot/chatwoot/pull/12259. It adds a default expiry of 180 days for tokens issued on the widget. The expiry can be customized based on customer requests and internal security requirements. Co-authored-by: Balasaheb Dubale --- app/services/widget/token_service.rb | 22 +++++++++- config/installation_config.yml | 8 ++++ .../widget/token_service_expiry_spec.rb | 42 +++++++++++++++++++ 3 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 spec/services/widget/token_service_expiry_spec.rb diff --git a/app/services/widget/token_service.rb b/app/services/widget/token_service.rb index 5fb719e7b..4eebaab9e 100644 --- a/app/services/widget/token_service.rb +++ b/app/services/widget/token_service.rb @@ -1,8 +1,10 @@ class Widget::TokenService + DEFAULT_EXPIRY_DAYS = 180 + pattr_initialize [:payload, :token] def generate_token - JWT.encode payload, secret_key, 'HS256' + JWT.encode payload_with_expiry, secret_key, 'HS256' end def decode_token @@ -15,6 +17,24 @@ class Widget::TokenService private + def payload_with_expiry + payload.merge(exp: exp, iat: iat) + end + + def iat + Time.zone.now.to_i + end + + def exp + iat + expire_in.days.to_i + end + + def expire_in + # Value is stored in days, defaulting to 6 months (180 days) + token_expiry_value = InstallationConfig.find_by(name: 'WIDGET_TOKEN_EXPIRY')&.value + (token_expiry_value.presence || DEFAULT_EXPIRY_DAYS).to_i + end + def secret_key Rails.application.secret_key_base end diff --git a/config/installation_config.yml b/config/installation_config.yml index caba80533..db907b7ad 100644 --- a/config/installation_config.yml +++ b/config/installation_config.yml @@ -439,3 +439,11 @@ locked: false description: 'Zone ID for the Cloudflare domain' ## ------ End of Configs added for Cloudflare ------ ## + +## ------ Customizations for Customers ------ ## +- name: WIDGET_TOKEN_EXPIRY + display_title: 'Widget Token Expiry' + value: 180 + locked: false + description: 'Token expiry in days' +## ------ End of Customizations for Customers ------ ## diff --git a/spec/services/widget/token_service_expiry_spec.rb b/spec/services/widget/token_service_expiry_spec.rb new file mode 100644 index 000000000..051a757a5 --- /dev/null +++ b/spec/services/widget/token_service_expiry_spec.rb @@ -0,0 +1,42 @@ +require 'rails_helper' + +RSpec.describe Widget::TokenService, type: :service do + describe 'token expiry configuration' do + let(:service) { described_class.new(payload: {}) } + + before do + # Clear any existing configs to ensure test isolation + InstallationConfig.where(name: 'WIDGET_TOKEN_EXPIRY').destroy_all + end + + context 'with valid configuration' do + before do + create(:installation_config, name: 'WIDGET_TOKEN_EXPIRY', value: '30') + end + + it 'uses the configured value for token expiry' do + freeze_time do + token = service.generate_token + decoded = JWT.decode(token, Rails.application.secret_key_base, true, algorithm: 'HS256').first + expect(decoded['iat']).to eq(Time.now.to_i) + expect(decoded['exp']).to eq(30.days.from_now.to_i) + end + end + end + + context 'with empty configuration' do + before do + create(:installation_config, name: 'WIDGET_TOKEN_EXPIRY', value: '') + end + + it 'uses the default expiry' do + freeze_time do + token = service.generate_token + decoded = JWT.decode(token, Rails.application.secret_key_base, true, algorithm: 'HS256').first + expect(decoded['iat']).to eq(Time.now.to_i) + expect(decoded['exp']).to eq(180.days.from_now.to_i) + end + end + end + end +end