Code review fix

Author: samejr

apps/webapp/app/root.tsx

@@ -66,11 +66,12 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
   headers.append("Set-Cookie", await commitSession(session));
 
   // Lazy-backfill the auth session's `issuedAt` for cookies issued before this
-  // feature shipped, and refresh the cookie's Max-Age to track the user's
-  // current effective session duration.
+  // feature shipped. Returns null (and does not commit) once issuedAt is set,
+  // so the cookie isn't re-written on every page load.
   if (user) {
     const authSession = await getUserSession(request);
-    headers.append("Set-Cookie", await commitAuthenticatedSessionLazy(authSession));
+    const lazyCookie = await commitAuthenticatedSessionLazy(authSession);
+    if (lazyCookie) headers.append("Set-Cookie", lazyCookie);
   }
 
   return typedjson(

apps/webapp/app/services/sessionDuration.server.ts

@@ -186,14 +186,17 @@ export async function commitAuthenticatedSession(
 }
 
 /**
- * Commits the session for an authenticated user, lazily backfilling
- * `issuedAt` if missing. Use on every authenticated response that already
- * commits the cookie (e.g. root.tsx).
+ * Lazily backfills `issuedAt` on legacy auth sessions that predate the
+ * sessionDuration feature. Returns the cookie string when a backfill happened
+ * (caller must append it to the response's `Set-Cookie` headers), or `null`
+ * when the session already had `issuedAt` set — avoiding an unnecessary
+ * Set-Cookie on every authenticated page load and preventing the cookie's
+ * 1-year Max-Age from rolling forward indefinitely.
  */
 export async function commitAuthenticatedSessionLazy(
   session: Session,
   now: number = Date.now()
-): Promise<string> {
-  ensureSessionIssuedAt(session, now);
+): Promise<string | null> {
+  if (!ensureSessionIssuedAt(session, now)) return null;
   return commitSession(session, { maxAge: DEFAULT_SESSION_DURATION_SECONDS });
 }