fix(oauth): unset expiresAt on access token during code exchange

Auth codes are created with expiresAt = now + 10min. The updateOne that sets the access token on code exchange was missing $unset: { expiresAt: "" }, so the 10-min TTL survived onto the access token. Token middleware rejects any token where expiresAt < now, causing Phanpy and all Mastodon clients to be forced to re-login every 10 minutes. The refresh_token rotation path already had this $unset correctly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-25 20:49:30 +02:00
parent 2d67c640d7
commit ba4bb53f0d
1 changed files with 1 additions and 0 deletions
@@ -610,6 +610,7 @@ router.post("/oauth/token", async (req, res, next) => {
          refreshToken,
          refreshExpiresAt: new Date(Date.now() + REFRESH_TOKEN_TTL),
        },
+        $unset: { expiresAt: "" },
      },
    );