Fix SEC-12: reduce default token expiry to 7 days

- Change default_expiry from 720h (30 days) to 168h (7 days) in dist/mcias.conf.example and dist/mcias.conf.docker.example - Update man page, ARCHITECTURE.md, and config.go comment - Max ceiling validation remains at 30 days (unchanged) Security: Shorter default token lifetime reduces the window of exposure if a token is leaked. 7 days balances convenience and security for a personal SSO. The 30-day max ceiling is preserved so operators can still override if needed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 00:43:20 -07:00
parent 586d4e3355
commit 7cc2c86300
5 changed files with 6 additions and 6 deletions
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -697,7 +697,7 @@ path = "/var/lib/mcias/mcias.db"

 [tokens]
 issuer          = "https://auth.example.com"
-default_expiry  = "720h"    # 30 days
+default_expiry  = "168h"    # 7 days
 admin_expiry    = "8h"
 service_expiry  = "8760h"   # 365 days