From 16c4e7b63c57963c99eca4f6c8b11c8bed7cde3a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rodrigo=20L=C3=B3pez=20Dato?= <rodrigo@metabase.com>
Date: Thu, 14 Aug 2025 17:14:51 -0300
Subject: [PATCH 1/2] Add exp to generated JWTs

---
 .../thirdParty/metabase/JWTProvider/JWTProvider.tsx      | 4 ++--
 src/components/thirdParty/metabase/JWTProvider/types.ts  | 2 +-
 src/components/thirdParty/metabase/hooks/types.ts        | 2 +-
 src/components/thirdParty/metabase/hooks/useJWTLogin.ts  | 7 ++++---
 src/components/thirdParty/metabase/utils/constants.ts    | 2 +-
 src/pages/_app.tsx                                       | 2 +-
 src/pages/api/auth/metabase.ts                           | 9 +++++----
 src/pages/embedding/full-app/setup.tsx                   | 7 ++++---
 8 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/src/components/thirdParty/metabase/JWTProvider/JWTProvider.tsx b/src/components/thirdParty/metabase/JWTProvider/JWTProvider.tsx
index 26139bb..82feab4 100644
--- a/src/components/thirdParty/metabase/JWTProvider/JWTProvider.tsx
+++ b/src/components/thirdParty/metabase/JWTProvider/JWTProvider.tsx
@@ -6,13 +6,13 @@ import { IJWTProviderProps } from "./types";
 export default function JWTProvider({
   appId,
   user,
-  expiresIn,
+  expiresInSeconds,
   children,
 }: PropsWithChildren<IJWTProviderProps>): ReactElement {
   const { jwt, loading, error } = useJWTLogin({
     appId,
     user,
-    expiresIn,
+    expiresInSeconds,
   });
 
   if (loading) {
diff --git a/src/components/thirdParty/metabase/JWTProvider/types.ts b/src/components/thirdParty/metabase/JWTProvider/types.ts
index 28e71a3..02365e3 100644
--- a/src/components/thirdParty/metabase/JWTProvider/types.ts
+++ b/src/components/thirdParty/metabase/JWTProvider/types.ts
@@ -3,5 +3,5 @@ import { IUser } from "../types";
 export interface IJWTProviderProps {
   appId?: string;
   user?: IUser;
-  expiresIn?: string;
+  expiresInSeconds?: number;
 }
diff --git a/src/components/thirdParty/metabase/hooks/types.ts b/src/components/thirdParty/metabase/hooks/types.ts
index 14f2eff..520380f 100644
--- a/src/components/thirdParty/metabase/hooks/types.ts
+++ b/src/components/thirdParty/metabase/hooks/types.ts
@@ -4,7 +4,7 @@ export interface IUseJWTLoginProps {
   appId?: string;
   user?: IUser;
   returnTo?: string;
-  expiresIn?: string;
+  expiresInSeconds?: number;
 }
 
 export interface IUseJWTLoginRes {
diff --git a/src/components/thirdParty/metabase/hooks/useJWTLogin.ts b/src/components/thirdParty/metabase/hooks/useJWTLogin.ts
index 24fd60a..19fa1e8 100644
--- a/src/components/thirdParty/metabase/hooks/useJWTLogin.ts
+++ b/src/components/thirdParty/metabase/hooks/useJWTLogin.ts
@@ -1,11 +1,12 @@
 import { useCallback, useEffect, useState } from "react";
 import { IUseJWTLoginProps, IUseJWTLoginRes } from "./types";
+import { DEFAULT_EXPIRATION_SECONDS } from "../utils/constants";
 
 export function useJWTLogin({
   appId = process.env.METABASE_APP_ID,
   user,
   returnTo = "/",
-  expiresIn,
+  expiresInSeconds = DEFAULT_EXPIRATION_SECONDS,
 }: IUseJWTLoginProps = {}): IUseJWTLoginRes {
   const [requestDate, setRequestDate] = useState<Date>();
   const [jwt, setJWT] = useState<string>();
@@ -24,7 +25,7 @@ export function useJWTLogin({
           appId,
           user,
           returnTo,
-          expiresIn, // Not used: see FIX
+          exp: Math.floor(Date.now() / 1000) + expiresInSeconds, // Not used: see FIX
         }),
       });
       const data = await response.json();
@@ -37,7 +38,7 @@ export function useJWTLogin({
       setError(err.message || err);
       console.error(err);
     }
-  }, [appId, user, returnTo, expiresIn]);
+  }, [appId, user, returnTo, expiresInSeconds]);
 
   useEffect(() => {
     getUrlAsync();
diff --git a/src/components/thirdParty/metabase/utils/constants.ts b/src/components/thirdParty/metabase/utils/constants.ts
index 4c2d448..a6e4db8 100644
--- a/src/components/thirdParty/metabase/utils/constants.ts
+++ b/src/components/thirdParty/metabase/utils/constants.ts
@@ -8,4 +8,4 @@ export const DUMMY_USER: IUser = {
   groups: ["Read Only"],
 };
 
-export const DEFAULT_EXPIRATION = "2 days";
+export const DEFAULT_EXPIRATION_SECONDS = 5 * 60; // 5 minutes
diff --git a/src/pages/_app.tsx b/src/pages/_app.tsx
index 49f96c3..acf6452 100644
--- a/src/pages/_app.tsx
+++ b/src/pages/_app.tsx
@@ -35,7 +35,7 @@ export default function App({
         <title>Edumation</title>
       </Head>
 
-      <JWTProvider user={account} expiresIn="2 days">
+      <JWTProvider user={account}>
         <ThemeProvider theme={defaultTheme}>
           <GlobalStyle />
           <Nav />
diff --git a/src/pages/api/auth/metabase.ts b/src/pages/api/auth/metabase.ts
index 83b5f3f..8db60cf 100644
--- a/src/pages/api/auth/metabase.ts
+++ b/src/pages/api/auth/metabase.ts
@@ -1,9 +1,10 @@
 import type { NextApiRequest, NextApiResponse } from "next";
+import type { JwtPayload } from "jsonwebtoken";
 import { sign } from "jsonwebtoken";
 import { format } from "url";
 import { getAppUrl } from "@components/thirdParty/metabase/utils";
 import {
-  DEFAULT_EXPIRATION,
+  DEFAULT_EXPIRATION_SECONDS,
   DUMMY_USER,
 } from "@components/thirdParty/metabase/utils/constants";
 import { IUseJWTLoginProps } from "@components/thirdParty/metabase/hooks/types";
@@ -16,7 +17,7 @@ export default async function handler(
     appId,
     user = DUMMY_USER,
     returnTo = "/",
-    expiresIn = DEFAULT_EXPIRATION,
+    expiresInSeconds = DEFAULT_EXPIRATION_SECONDS,
   } = req.body as IUseJWTLoginProps;
   if (req.method === "POST") {
     const METABASE_JWT_SHARED_SECRET =
@@ -26,8 +27,8 @@ export default async function handler(
     const jwt = sign(
       {
         ...user,
-        expiresIn,
-      },
+        exp: Math.floor(Date.now() / 1000) + expiresInSeconds,
+      } as JwtPayload,
       METABASE_JWT_SHARED_SECRET,
     );
 
diff --git a/src/pages/embedding/full-app/setup.tsx b/src/pages/embedding/full-app/setup.tsx
index 0888517..fe1e399 100644
--- a/src/pages/embedding/full-app/setup.tsx
+++ b/src/pages/embedding/full-app/setup.tsx
@@ -2,6 +2,7 @@ import PageContainer from "@components/container/PageContainer";
 import PageHeader from "@components/layout/PageHeader";
 import Head from "next/head";
 import { ReactElement, useEffect, useState } from "react";
+import type { JwtPayload } from "jsonwebtoken";
 import { sign } from "jsonwebtoken";
 import ImageWrapper from "@components/ui/ImageWrapper";
 import { getAppUrl } from "@components/thirdParty/metabase/utils";
@@ -13,7 +14,7 @@ const iFrameCodeFullAppSign = `const jsonwebtoken = sign(
     first_name: <first name>,
     last_name: <last name>,
     groups: ["Read Only"],
-    expiresIn: "2 days",
+    exp: Math.floor(Date.now() / 1000) + <expiration seconds>
   },
   <JWT shared secret key>,
 );`;
@@ -37,8 +38,8 @@ export default function SimpleEmbeddingPage(): ReactElement {
         first_name: "Dummy",
         last_name: "User",
         groups: ["Read Only"],
-        expiresIn: "2 days",
-      },
+        exp: Math.floor(Date.now() / 1000) + 5 * 60, // 5 minutes
+      } as JwtPayload,
       METABASE_JWT_SHARED_SECRET,
     );
     setTheJWT(jwt);

From 73538ee3af4ac020c6502b33819ebf37c17978b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rodrigo=20L=C3=B3pez=20Dato?= <rodrigo@metabase.com>
Date: Thu, 14 Aug 2025 17:15:21 -0300
Subject: [PATCH 2/2] Update initialization SQL

---
 app-db-initialization/embed_demo.sql | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app-db-initialization/embed_demo.sql b/app-db-initialization/embed_demo.sql
index 6c5e4fb..bbdc879 100644
--- a/app-db-initialization/embed_demo.sql
+++ b/app-db-initialization/embed_demo.sql
@@ -3708,9 +3708,9 @@ COPY public.core_session (id, user_id, created_at, anti_csrf_token) FROM stdin;
 COPY public.core_user (id, email, first_name, last_name, password, password_salt, date_joined, last_login, is_superuser, is_active, reset_token, reset_triggered, is_qbnewb, google_auth, ldap_auth, login_attributes, updated_at, sso_source, locale, is_datasetnewb, settings) FROM stdin;
 2	fake2@edumation.com	Fake	Two	$2a$10$DVjygn2uQfF3c3L/9eVVaexDnxMKmxOo72/IOKr0aUmZ/k..z5BbC	07c3fef0-938e-4a1e-8849-bf3d66c638c5	2022-11-11 16:56:20.534624+00	2022-12-05 16:04:34.611907+00	t	t	$2a$10$caiF0YZT0UcD6NfydvqGJ.xF3tKZMQkFxHlT5RdipBabpjhnN149.	1668505830164	f	f	f	\N	2022-12-05 16:04:34.611907	\N	\N	t	\N
 5	the.account@edumation.com	The	Account	$2a$10$DVjygn2uQfF3c3L/9eVVaexDnxMKmxOo72/IOKr0aUmZ/k..z5BbC	07c3fef0-938e-4a1e-8849-bf3d66c638c5	2022-11-17 10:01:26.174614+00	2022-12-07 12:28:58.033817+00	f	t	\N	\N	f	f	f	{"metalbase_user_id":8,"exp":1670416738,"groups":["Read Only"]}	2022-12-07 12:28:58.033817	jwt	\N	t	\N
-7	mary.smith@edumation.com	Mary	Smith	$2a$10$DVjygn2uQfF3c3L/9eVVaexDnxMKmxOo72/IOKr0aUmZ/k..z5BbC	07c3fef0-938e-4a1e-8849-bf3d66c638c5	2022-11-30 08:24:37.577984+00	2023-01-15 20:33:45.669532+00	f	t	\N	\N	f	f	f	{"professor_id":1,"occupation":"teacher","id":1000000,"avatar":"/images/mary-smith.png","expiresIn":"2 days","groups":["Professors"]}	2023-01-15 20:33:45.669532	jwt	\N	t	\N
+7	mary.smith@edumation.com	Mary	Smith	$2a$10$DVjygn2uQfF3c3L/9eVVaexDnxMKmxOo72/IOKr0aUmZ/k..z5BbC	07c3fef0-938e-4a1e-8849-bf3d66c638c5	2022-11-30 08:24:37.577984+00	2023-01-15 20:33:45.669532+00	f	t	\N	\N	f	f	f	{"professor_id":1,"occupation":"teacher","id":1000000,"avatar":"/images/mary-smith.png","groups":["Professors"]}	2023-01-15 20:33:45.669532	jwt	\N	t	\N
 1	fake1@edumation.com	Fake	One	$2a$10$DVjygn2uQfF3c3L/9eVVaexDnxMKmxOo72/IOKr0aUmZ/k..z5BbC	07c3fef0-938e-4a1e-8849-bf3d66c638c5	2022-11-10 21:29:57.758633+00	2022-12-19 19:08:13.618004+00	t	t	\N	\N	f	f	f	\N	2022-12-19 19:08:13.618004	\N	\N	t	\N
-8	anna.johnson@edumation.com	Anna	Johnson	$2a$10$DVjygn2uQfF3c3L/9eVVaexDnxMKmxOo72/IOKr0aUmZ/k..z5BbC	07c3fef0-938e-4a1e-8849-bf3d66c638c5	2022-11-30 14:50:52.561711+00	2023-01-15 16:29:07.343049+00	f	t	\N	\N	f	f	f	{"professor_id":2,"occupation":"teacher","id":999999,"avatar":"/images/anna-johnson.png","expiresIn":"2 days","groups":["Professors"]}	2023-01-15 16:29:07.343049	jwt	\N	t	\N
+8	anna.johnson@edumation.com	Anna	Johnson	$2a$10$DVjygn2uQfF3c3L/9eVVaexDnxMKmxOo72/IOKr0aUmZ/k..z5BbC	07c3fef0-938e-4a1e-8849-bf3d66c638c5	2022-11-30 14:50:52.561711+00	2023-01-15 16:29:07.343049+00	f	t	\N	\N	f	f	f	{"professor_id":2,"occupation":"teacher","id":999999,"avatar":"/images/anna-johnson.png","groups":["Professors"]}	2023-01-15 16:29:07.343049	jwt	\N	t	\N
 \.