kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix SEC-12: reduce default token expiry to 7 days

Browse Source 
- Change default_expiry from 720h (30 days) to 168h (7 days)
  in dist/mcias.conf.example and dist/mcias.conf.docker.example
- Update man page, ARCHITECTURE.md, and config.go comment
- Max ceiling validation remains at 30 days (unchanged)

Security: Shorter default token lifetime reduces the window of
exposure if a token is leaked. 7 days balances convenience and
security for a personal SSO. The 30-day max ceiling is preserved
so operators can still override if needed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-13 00:43:20 -07:00
parent 586d4e3355
commit 7cc2c86300
5 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ARCHITECTURE.md
View File

@@ -697,7 +697,7 @@ path = "/var/lib/mcias/mcias.db"
[tokens]
issuer = "https://auth.example.com"
default_expiry = "720h" # 30 days
default_expiry = "168h" # 7 days
admin_expiry = "8h"
service_expiry = "8760h" # 365 days

2
dist/mcias.conf.docker.example vendored
View File

@@ -36,7 +36,7 @@ path = "/data/mcias.db"
[tokens]
issuer = "https://auth.example.com"
default_expiry = "720h"
default_expiry = "168h"
admin_expiry = "8h"
service_expiry = "8760h"

4
dist/mcias.conf.example vendored
View File

@@ -69,8 +69,8 @@ issuer = "https://auth.example.com"
# OPTIONAL. Default token expiry for interactive (human) logins.
# Go duration string: "h" hours, "m" minutes, "s" seconds.
# Default: 720h (30 days). Reduce for higher-security deployments.
default_expiry = "720h"
# Default: 168h (7 days). The maximum allowed value is 720h (30 days).
default_expiry = "168h"
# OPTIONAL. Expiry for admin tokens (tokens with the "admin" role).
# Should be shorter than default_expiry to limit the blast radius of

2
internal/config/config.go
View File

@@ -75,7 +75,7 @@ type MasterKeyConfig struct {
}
// duration is a wrapper around time.Duration that supports TOML string parsing
// (e.g. "720h", "8h").
// (e.g. "168h", "8h").
type duration struct {
time.Duration
}

2
man/man1/mciassrv.1
View File

@@ -77,7 +77,7 @@ WAL mode and foreign key enforcement are enabled automatically.
Issuer claim embedded in every JWT.
Use the base URL of your MCIAS server.
.It Sy default_expiry
.Pq optional, default 720h
.Pq optional, default 168h
Token expiry for interactive logins.
Go duration string.
.It Sy admin_expiry