fix: prevent premature session expiry in extension

Three issues causing the extension session to appear expired:

1. Login endpoint didn't return access_token_expires_at, so the extension
   assumed the access token was always expired and triggered a refresh
   cycle on every single sync call. Now the Supabase JWT expiry is
   included in the login response.

2. ensureValidToken() made a network call to /api/auth/session on every
   sync even when the token wasn't expired. Any transient failure
   (timeout, network blip) would trigger an unnecessary refresh cascade.
   Now trusts the stored expiry and lets the actual API call handle 401s.

3. Fixed stale comments saying '1 year' when the actual session duration
   is 2 years (EXTENSION_SESSION_DURATION_MS).

Author: Preshy

apps/extension/src/background/index.js

@@ -851,24 +851,12 @@ async function ensureValidToken() {
     return true;
   }
 
-  // Token should be valid based on expiry, but validate to be sure
-  // Only do this if we haven't refreshed recently (avoid unnecessary network calls)
-  const isValid = await validateToken();
-  if (isValid) {
-    return true;
-  }
-
-  // Token validation failed despite not being expired - try refresh
-  console.log('[MarkSyncr] Token validation failed unexpectedly, attempting refresh...');
-  const refreshed = await tryRefreshToken();
-
-  if (!refreshed) {
-    // Don't clear — preserve extension_token for future retry.
-    // tryRefreshToken handles clearing on definitive 401 (session revoked/expired).
-    console.log('[MarkSyncr] Token refresh failed, will retry on next attempt');
-    return false;
-  }
-
+  // Token is not expired based on stored expiry — trust it.
+  // Don't make a network validation call on every sync; that wastes bandwidth
+  // and can cause spurious failures (timeouts, network blips) that trigger
+  // unnecessary refresh cascades. The actual API call in performSync will
+  // naturally return 401 if the token is invalid, and apiRequest() already
+  // handles that by calling tryRefreshToken() and retrying.
   return true;
 }
 

apps/web/app/api/auth/extension/login/route.js

@@ -103,7 +103,7 @@ export async function POST(request) {
     const extensionToken = generateSecureToken();
     const extensionTokenHash = hashToken(extensionToken);
 
-    // Step 3: Calculate expiration (1 year from now)
+    // Step 3: Calculate expiration (2 years from now)
     const expiresAt = new Date(Date.now() + EXTENSION_SESSION_DURATION_MS);
 
     // Step 4: Store extension session in database using admin client
@@ -145,6 +145,10 @@ export async function POST(request) {
         access_token: session.access_token,
         // Expiration of the extension session (not the access token)
         expires_at: sessionData.expires_at,
+        // Expiration of the short-lived access token (typically 1 hour)
+        // Without this, the extension assumes the token is expired on first use
+        // and triggers an unnecessary refresh cycle on every sync
+        access_token_expires_at: session.expires_at,
         // Session metadata
         session_id: sessionData.id,
         created_at: sessionData.created_at,

supabase/migrations/015_extension_sessions.sql

@@ -3,7 +3,7 @@
 -- 
 -- This table stores long-lived session tokens for browser extensions.
 -- Unlike Supabase's default JWT tokens (which expire in 1 hour with 7-day refresh tokens),
--- extension sessions are designed to last 1 year to avoid requiring frequent re-logins.
+-- extension sessions are designed to last 2 years to avoid requiring frequent re-logins.
 --
 -- Security considerations:
 -- - extension_token is a cryptographically secure random token (256 bits)
@@ -97,9 +97,9 @@ $$;
 GRANT EXECUTE ON FUNCTION cleanup_expired_extension_sessions() TO authenticated;
 
 -- Comment on table for documentation
-COMMENT ON TABLE extension_sessions IS 'Long-lived session tokens for browser extensions (1 year expiry)';
+COMMENT ON TABLE extension_sessions IS 'Long-lived session tokens for browser extensions (2 year expiry)';
 COMMENT ON COLUMN extension_sessions.extension_token_hash IS 'SHA-256 hash of the extension token for secure verification';
 COMMENT ON COLUMN extension_sessions.supabase_refresh_token IS 'Supabase refresh token for obtaining new access tokens';
 COMMENT ON COLUMN extension_sessions.device_id IS 'Unique identifier for the browser/device';
-COMMENT ON COLUMN extension_sessions.expires_at IS 'Session expiration (default: 1 year from creation)';
+COMMENT ON COLUMN extension_sessions.expires_at IS 'Session expiration (default: 2 years from creation)';
 COMMENT ON COLUMN extension_sessions.last_used_at IS 'Last time the session was used (for activity tracking)';