fix(auth): correct oneTimeToken expiresIn unit (minutes, not seconds)

waleedlatif1 · waleedlatif1 · commit 5a8b8ab1d87c · 2026-05-28T09:13:09.000-07:00
Better-auth's oneTimeToken expiresIn is in minutes (multiplied by 60_000ms
internally). Sim's existing 24*60*60 evaluated to ~60 days of token
lifetime instead of the intended 24 hours. Tokens are one-time-use and
typically consumed within seconds of generation (Socket.IO handshake),
so this tightens an unused security window without affecting UX.
diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts
@@ -880,7 +880,7 @@ export const auth = betterAuth({
       } as Record<string, unknown>,
     }),
     oneTimeToken({
-      expiresIn: 24 * 60 * 60, // 24 hours - Socket.IO handles connection persistence with heartbeats
+      expiresIn: 24 * 60, // 24 hours in minutes (better-auth's expiresIn unit)
     }),
     customSession(async ({ user, session }) => ({
       user,
diff --git a/packages/auth/src/verify.ts b/packages/auth/src/verify.ts
@@ -27,7 +27,7 @@ export function createVerifyAuth(options: VerifyAuthOptions) {
     }),
     plugins: [
       oneTimeToken({
-        expiresIn: 24 * 60 * 60,
+        expiresIn: 24 * 60,
       }),
     ],
   })
