kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix SEC-12: reduce default token expiry to 7 days

Browse Source 
- Change default_expiry from 720h (30 days) to 168h (7 days)
  in dist/mcias.conf.example and dist/mcias.conf.docker.example
- Update man page, ARCHITECTURE.md, and config.go comment
- Max ceiling validation remains at 30 days (unchanged)

Security: Shorter default token lifetime reduces the window of
exposure if a token is leaked. 7 days balances convenience and
security for a personal SSO. The 30-day max ceiling is preserved
so operators can still override if needed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-13 00:43:20 -07:00
parent 586d4e3355
commit 7cc2c86300
5 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ARCHITECTURE.md
View File

@@ -697,7 +697,7 @@ path = "/var/lib/mcias/mcias.db"
[tokens] [tokens]
issuer = "https://auth.example.com" issuer = "https://auth.example.com"
default_expiry = "720h" # 30 days default_expiry = "168h" # 7 days
admin_expiry = "8h" admin_expiry = "8h"
service_expiry = "8760h" # 365 days service_expiry = "8760h" # 365 days

2
dist/mcias.conf.docker.example vendored
View File

@@ -36,7 +36,7 @@ path = "/data/mcias.db"
[tokens] [tokens]
issuer = "https://auth.example.com" issuer = "https://auth.example.com"
default_expiry = "720h" default_expiry = "168h"
admin_expiry = "8h" admin_expiry = "8h"
service_expiry = "8760h" service_expiry = "8760h"

4
dist/mcias.conf.example vendored
View File

@@ -69,8 +69,8 @@ issuer = "https://auth.example.com"
# OPTIONAL. Default token expiry for interactive (human) logins. # OPTIONAL. Default token expiry for interactive (human) logins.
# Go duration string: "h" hours, "m" minutes, "s" seconds. # Go duration string: "h" hours, "m" minutes, "s" seconds.
# Default: 720h (30 days). Reduce for higher-security deployments. # Default: 168h (7 days). The maximum allowed value is 720h (30 days).
default_expiry = "720h" default_expiry = "168h"
# OPTIONAL. Expiry for admin tokens (tokens with the "admin" role). # OPTIONAL. Expiry for admin tokens (tokens with the "admin" role).
# Should be shorter than default_expiry to limit the blast radius of # Should be shorter than default_expiry to limit the blast radius of

2
internal/config/config.go
View File

@@ -75,7 +75,7 @@ type MasterKeyConfig struct {
} }
// duration is a wrapper around time.Duration that supports TOML string parsing // duration is a wrapper around time.Duration that supports TOML string parsing
// (e.g. "720h", "8h"). // (e.g. "168h", "8h").
type duration struct { type duration struct {
time.Duration time.Duration
} }

2
man/man1/mciassrv.1
View File

@@ -77,7 +77,7 @@ WAL mode and foreign key enforcement are enabled automatically.
Issuer claim embedded in every JWT. Issuer claim embedded in every JWT.
Use the base URL of your MCIAS server. Use the base URL of your MCIAS server.
.It Sy default_expiry .It Sy default_expiry
.Pq optional, default 720h .Pq optional, default 168h
Token expiry for interactive logins. Token expiry for interactive logins.
Go duration string. Go duration string.
.It Sy admin_expiry .It Sy admin_expiry