Clearance cookie expiration doesn't respect time travel in tests

[pangolingo]

Steps to reproduce

1. integrate Clearance into an app
2. write a system test for the app
3. in the system test, use time travel to travel back in time 2 years
4. in the system test, perform a login

Expected behavior

The user will be successfully logged in

Actual behavior

The login fails with a message:

We were not able to create this account. Try using a different email address or password.

(This is the flashes.failure_on_signup message)

Workarounds

We can successfully work around this issue a few ways:

1. be sure not to time travel back more than a year ago
2. adjust the cookie expiration time to be very long: config.cookie_expiration = lambda { |cookies| 9999.years.from_now.utc }

Notes

I encountered this on an app I'm working on, but I also found it mentioned in an issue on an internal thoughtbot repo. This was the workaround used there to avoid traveling too far back in time:

current_year = Time.zone.now.year
travel_to Time.new(current_year, 1, 1, 17, 10, 0, eastern_time_utc_offset)

Here's a shortened version of the test that caused these errors:

scenario "can change to a quarterly cashflow summary" do
      user = create_onboarded_user
     
      travel_to Date.new(2022, 3, 14)

      sign_in_with user.email, user.password
      visit dashboard_index_path

      expect(page).to have_content("Dashboard")
end

Here's the Clearance config used:

# config/initializers/clearance.rb
Clearance.configure do |config|
  config.allow_sign_up = true
  if Rails.env.production?
    config.cookie_expiration = lambda { |cookies| 1.month.from_now.utc }
  end
  config.mailer_sender = ENV.fetch("CLEARANCE_MAILER_SENDER")

  config.redirect_url = "/onboarding/get_started"

  config.rotate_csrf_on_sign_in = true
  config.routes = false
  config.secure_cookie = Rails.env.production?
  config.signed_cookie = true
end

[fcheung]

I've had a play around with this & I don't think there is a lot clearance can do. If I add travel_to 2.years.ago to a spec, then (as of today) the rails app thinks that the current date is 14th Nov 2022. In the default config the expiration date is 1 year, ie 14th Nov 2023, and that's the header I see clearance setting

set-cookie: remember_token=07d26adf5f1c1f0c54342dc37f2de97121f9fd5c; path=/; expires=Tue, 14 Nov 2023 21:26:42 GMT; httponly

If your test driver is running against a real browser (ie cuprite, selenium etc.) then that browser knows nothing about rails' time travelling, so just sees an expired cookie & ignores it - it's not clearance doing cookie expiry incorrectly, it's Chrome/Firefox (understandably) using the real time. I'm not sure if there is a way to fake this, but if so this is probably a concern of capybara drivers rather than clearance.