fix: default to 1 day for session freshness

2025-12-07 20:37:44 +00:00 · 2024-12-23 15:43:36 +03:00
parent a9b7c74c61
commit 59c1e5a48a
5 changed files with 38 additions and 3 deletions
--- a/demo/nextjs/components/sign-in.tsx
+++ b/demo/nextjs/components/sign-in.tsx
@@ -272,9 +272,12 @@ export default function SignIn() {
 						onClick={async () => {
 							await signIn.passkey({
 								fetchOptions: {
-									onResponse(context) {
+									onSuccess(context) {
 										router.push("/dashboard");
 									},
+									onError(context) {
+										toast.error(context.error.message);
+									},
 								},
 							});
 						}}
--- a/demo/nextjs/lib/auth.ts
+++ b/demo/nextjs/lib/auth.ts
@@ -43,6 +43,9 @@ export const auth = betterAuth({
 		dialect,
 		type: "sqlite",
 	},
+	session: {
+		freshAge: 0,
+	},
 	emailVerification: {
 		async sendVerificationEmail({ user, url }) {
 			const res = await resend.emails.send({
--- a/docs/content/docs/concepts/session-management.mdx
+++ b/docs/content/docs/concepts/session-management.mdx
@@ -33,6 +33,35 @@ export const auth = betterAuth({
 })
 ```

+## Session Freshness
+
+Some endpoints in Better Auth require the session to be **fresh**. A session is considered fresh if its `createdAt` is within the `freshAge` limit. By default, the `freshAge` is set to **1 day** (60 * 60 * 24).  
+
+You can customize the `freshAge` value by passing a `session` object in the `auth` configuration:  
+
+```ts title="auth.ts"
+import { betterAuth } from "better-auth"
+
+export const auth = betterAuth({
+    //... other config options
+    session: {
+        freshAge: 60 * 5 // 5 minutes (the session is fresh if created within the last 5 minutes)
+    }
+})
+```
+
+To **disable the freshness check**, set `freshAge` to `0`:  
+
+```ts title="auth.ts"
+import { betterAuth } from "better-auth"
+
+export const auth = betterAuth({
+    //... other config options
+    session: {
+        freshAge: 0 // Disable freshness check
+    }
+})
+```
 ## Session Management

 Better Auth provides a set of functions to manage sessions.
--- a/docs/content/docs/concepts/users-accounts.mdx
+++ b/docs/content/docs/concepts/users-accounts.mdx
@@ -184,7 +184,7 @@ await authClient.deleteUser({
 The user must have a `fresh` session token, meaning the user must have signed in recently. This is checked if the password is not provided.

 <Callout type="warn">
-If `session.freshAge` is set to `0`, this requirement is effectively bypassed.
+By default `session.freshAge` is set to `60 * 60 * 24` (1 day). You can change this value by passing the `session` object to the `auth` configuration. If it is set to `0`, the freshness check is disabled.
 </Callout>

 ```ts title="delete-user.ts"
--- a/packages/better-auth/src/init.ts
+++ b/packages/better-auth/src/init.ts
@@ -102,7 +102,7 @@ export const init = async (options: BetterAuthOptions) => {
 			expiresIn: options.session?.expiresIn || 60 * 60 * 24 * 7, // 7 days
 			freshAge:
 				options.session?.freshAge === undefined
-					? 5 * 60
+					? 60 * 60 * 24 // 24 hours
 					: options.session.freshAge,
 		},
 		secret,