Revert "fix: prevent premature session expiry in extension"

This reverts commit e29245e.

Author: Preshy

apps/extension/src/background/index.js

@@ -851,12 +851,24 @@ async function ensureValidToken() {
     return true;
   }
 
-  // Token is not expired based on stored expiry — trust it.
-  // Don't make a network validation call on every sync; that wastes bandwidth
-  // and can cause spurious failures (timeouts, network blips) that trigger
-  // unnecessary refresh cascades. The actual API call in performSync will
-  // naturally return 401 if the token is invalid, and apiRequest() already
-  // handles that by calling tryRefreshToken() and retrying.
+  // Token should be valid based on expiry, but validate to be sure
+  // Only do this if we haven't refreshed recently (avoid unnecessary network calls)
+  const isValid = await validateToken();
+  if (isValid) {
+    return true;
+  }
+
+  // Token validation failed despite not being expired - try refresh
+  console.log('[MarkSyncr] Token validation failed unexpectedly, attempting refresh...');
+  const refreshed = await tryRefreshToken();
+
+  if (!refreshed) {
+    // Don't clear — preserve extension_token for future retry.
+    // tryRefreshToken handles clearing on definitive 401 (session revoked/expired).
+    console.log('[MarkSyncr] Token refresh failed, will retry on next attempt');
+    return false;
+  }
+
   return true;
 }
 

apps/web/app/api/auth/extension/login/route.js

@@ -103,7 +103,7 @@ export async function POST(request) {
     const extensionToken = generateSecureToken();
     const extensionTokenHash = hashToken(extensionToken);
 
-    // Step 3: Calculate expiration (2 years from now)
+    // Step 3: Calculate expiration (1 year from now)
     const expiresAt = new Date(Date.now() + EXTENSION_SESSION_DURATION_MS);
 
     // Step 4: Store extension session in database using admin client
@@ -145,10 +145,6 @@ export async function POST(request) {
         access_token: session.access_token,
         // Expiration of the extension session (not the access token)
         expires_at: sessionData.expires_at,
-        // Expiration of the short-lived access token (typically 1 hour)
-        // Without this, the extension assumes the token is expired on first use
-        // and triggers an unnecessary refresh cycle on every sync
-        access_token_expires_at: session.expires_at,
         // Session metadata
         session_id: sessionData.id,
         created_at: sessionData.created_at,

supabase/migrations/015_extension_sessions.sql

@@ -3,7 +3,7 @@
 -- 
 -- This table stores long-lived session tokens for browser extensions.
 -- Unlike Supabase's default JWT tokens (which expire in 1 hour with 7-day refresh tokens),
--- extension sessions are designed to last 2 years to avoid requiring frequent re-logins.
+-- extension sessions are designed to last 1 year to avoid requiring frequent re-logins.
 --
 -- Security considerations:
 -- - extension_token is a cryptographically secure random token (256 bits)
@@ -97,9 +97,9 @@ $$;
 GRANT EXECUTE ON FUNCTION cleanup_expired_extension_sessions() TO authenticated;
 
 -- Comment on table for documentation
-COMMENT ON TABLE extension_sessions IS 'Long-lived session tokens for browser extensions (2 year expiry)';
+COMMENT ON TABLE extension_sessions IS 'Long-lived session tokens for browser extensions (1 year expiry)';
 COMMENT ON COLUMN extension_sessions.extension_token_hash IS 'SHA-256 hash of the extension token for secure verification';
 COMMENT ON COLUMN extension_sessions.supabase_refresh_token IS 'Supabase refresh token for obtaining new access tokens';
 COMMENT ON COLUMN extension_sessions.device_id IS 'Unique identifier for the browser/device';
-COMMENT ON COLUMN extension_sessions.expires_at IS 'Session expiration (default: 2 years from creation)';
+COMMENT ON COLUMN extension_sessions.expires_at IS 'Session expiration (default: 1 year from creation)';
 COMMENT ON COLUMN extension_sessions.last_used_at IS 'Last time the session was used (for activity tracking)';