logout issues # 2

backend/igny8_core/auth/urls.py

@@ -48,6 +48,7 @@ class RegisterView(APIView):
     def post(self, request):
         from .utils import generate_access_token, generate_refresh_token, get_token_expiry
         from django.contrib.auth import login
+        from django.utils import timezone
         
         serializer = RegisterSerializer(data=request.data)
         if serializer.is_valid():
@@ -62,8 +63,8 @@ class RegisterView(APIView):
             # Generate JWT tokens
             access_token = generate_access_token(user, account)
             refresh_token = generate_refresh_token(user, account)
-            access_expires_at = get_token_expiry('access')
-            refresh_expires_at = get_token_expiry('refresh')
+            access_expires_at = timezone.now() + get_token_expiry('access')
+            refresh_expires_at = timezone.now() + get_token_expiry('refresh')
             
             user_serializer = UserSerializer(user)
             return success_response(
@@ -123,10 +124,11 @@ class LoginView(APIView):
                 
                 # Generate JWT tokens
                 from .utils import generate_access_token, generate_refresh_token, get_access_token_expiry, get_token_expiry
+                from django.utils import timezone
                 access_token = generate_access_token(user, account, remember_me=remember_me)
                 refresh_token = generate_refresh_token(user, account)
-                access_expires_at = get_access_token_expiry(remember_me=remember_me)
-                refresh_expires_at = get_token_expiry('refresh')
+                access_expires_at = timezone.now() + get_access_token_expiry(remember_me=remember_me)
+                refresh_expires_at = timezone.now() + get_token_expiry('refresh')
                 
                 # Serialize user data safely, handling missing account relationship
                 try:

backend/igny8_core/settings.py

@@ -97,8 +97,8 @@ CSRF_COOKIE_SECURE = USE_SECURE_COOKIES
 SESSION_COOKIE_NAME = 'igny8_sessionid'  # Custom name to avoid conflicts
 SESSION_COOKIE_HTTPONLY = True  # Prevent JavaScript access
 SESSION_COOKIE_SAMESITE = 'Strict'  # Prevent cross-site cookie sharing
-SESSION_COOKIE_AGE = 3600  # 1 hour default (increased if remember me checked)
-SESSION_SAVE_EVERY_REQUEST = False  # Don't update session on every request (reduces DB load)
+SESSION_COOKIE_AGE = 3600  # 1 hour - extends on every request due to SESSION_SAVE_EVERY_REQUEST
+SESSION_SAVE_EVERY_REQUEST = True  # CRITICAL: Update session on every request to prevent idle timeout
 SESSION_COOKIE_PATH = '/'  # Explicit path
 # Don't set SESSION_COOKIE_DOMAIN - let it default to current domain for strict isolation
 
@@ -521,8 +521,8 @@ CORS_EXPOSE_HEADERS = [
 JWT_SECRET_KEY = os.getenv('JWT_SECRET_KEY', SECRET_KEY)
 JWT_ALGORITHM = 'HS256'
 # Default: 1 hour for normal login, 20 days for remember me
-JWT_ACCESS_TOKEN_EXPIRY = timedelta(hours=1)  # Increased from 15 minutes
-JWT_ACCESS_TOKEN_EXPIRY_REMEMBER_ME = timedelta(days=20)  # For remember me users
+JWT_ACCESS_TOKEN_EXPIRY = timedelta(hours=1)  # Default: 1 hour
+JWT_ACCESS_TOKEN_EXPIRY_REMEMBER_ME = timedelta(days=30)  # Remember me: 30 days
 JWT_REFRESH_TOKEN_EXPIRY = timedelta(days=30)  # Extended to 30 days for persistent login
 
 # Celery Configuration