From 7cc2c86300e23338807696e38fd3fbeb61c1c1ef Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Fri, 13 Mar 2026 00:43:20 -0700
Subject: [PATCH] Fix SEC-12: reduce default token expiry to 7 days

- Change default_expiry from 720h (30 days) to 168h (7 days)
  in dist/mcias.conf.example and dist/mcias.conf.docker.example
- Update man page, ARCHITECTURE.md, and config.go comment
- Max ceiling validation remains at 30 days (unchanged)

Security: Shorter default token lifetime reduces the window of
exposure if a token is leaked. 7 days balances convenience and
security for a personal SSO. The 30-day max ceiling is preserved
so operators can still override if needed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 ARCHITECTURE.md                | 2 +-
 dist/mcias.conf.docker.example | 2 +-
 dist/mcias.conf.example        | 4 ++--
 internal/config/config.go      | 2 +-
 man/man1/mciassrv.1            | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
index b7e14a9..019f8fe 100644
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -697,7 +697,7 @@ path = "/var/lib/mcias/mcias.db"
 
 [tokens]
 issuer          = "https://auth.example.com"
-default_expiry  = "720h"    # 30 days
+default_expiry  = "168h"    # 7 days
 admin_expiry    = "8h"
 service_expiry  = "8760h"   # 365 days
 
diff --git a/dist/mcias.conf.docker.example b/dist/mcias.conf.docker.example
index 980d53b..3a9611a 100644
--- a/dist/mcias.conf.docker.example
+++ b/dist/mcias.conf.docker.example
@@ -36,7 +36,7 @@ path = "/data/mcias.db"
 
 [tokens]
 issuer         = "https://auth.example.com"
-default_expiry = "720h"
+default_expiry = "168h"
 admin_expiry   = "8h"
 service_expiry = "8760h"
 
diff --git a/dist/mcias.conf.example b/dist/mcias.conf.example
index c8143b6..e4546bd 100644
--- a/dist/mcias.conf.example
+++ b/dist/mcias.conf.example
@@ -69,8 +69,8 @@ issuer = "https://auth.example.com"
 
 # OPTIONAL. Default token expiry for interactive (human) logins.
 # Go duration string: "h" hours, "m" minutes, "s" seconds.
-# Default: 720h (30 days). Reduce for higher-security deployments.
-default_expiry = "720h"
+# Default: 168h (7 days). The maximum allowed value is 720h (30 days).
+default_expiry = "168h"
 
 # OPTIONAL. Expiry for admin tokens (tokens with the "admin" role).
 # Should be shorter than default_expiry to limit the blast radius of
diff --git a/internal/config/config.go b/internal/config/config.go
index c3324ee..c464a5a 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -75,7 +75,7 @@ type MasterKeyConfig struct {
 }
 
 // duration is a wrapper around time.Duration that supports TOML string parsing
-// (e.g. "720h", "8h").
+// (e.g. "168h", "8h").
 type duration struct {
 	time.Duration
 }
diff --git a/man/man1/mciassrv.1 b/man/man1/mciassrv.1
index 1cd31c8..429a969 100644
--- a/man/man1/mciassrv.1
+++ b/man/man1/mciassrv.1
@@ -77,7 +77,7 @@ WAL mode and foreign key enforcement are enabled automatically.
 Issuer claim embedded in every JWT.
 Use the base URL of your MCIAS server.
 .It Sy default_expiry
-.Pq optional, default 720h
+.Pq optional, default 168h
 Token expiry for interactive logins.
 Go duration string.
 .It Sy admin_expiry