node: set JWT expiry to 60 seconds #25416

2026-06-19 21:31:37 +00:00 · 2025-04-27 19:02:03 +08:00 · 2025-04-27 19:02:03 +08:00 · b899363d17
commit b899363d17
parent 0e84001c0b
2 changed files with 6 additions and 4 deletions
--- a/node/jwt_handler.go
+++ b/node/jwt_handler.go
@ -24,6 +24,8 @@ import (
 	"github.com/golang-jwt/jwt/v4"
 )

+const jwtExpiryTimeout = 60 * time.Second
+
 type jwtHandler struct {
 	keyFunc func(token *jwt.Token) (interface{}, error)
 	next    http.Handler
@ -68,9 +70,9 @@ func (handler *jwtHandler) ServeHTTP(out http.ResponseWriter, r *http.Request) {
 		http.Error(out, "token is expired", http.StatusForbidden)
 	case claims.IssuedAt == nil:
 		http.Error(out, "missing issued-at", http.StatusForbidden)
-	case time.Since(claims.IssuedAt.Time) > 5*time.Second:
+	case time.Since(claims.IssuedAt.Time) > jwtExpiryTimeout:
 		http.Error(out, "stale token", http.StatusForbidden)
-	case time.Until(claims.IssuedAt.Time) > 5*time.Second:
+	case time.Until(claims.IssuedAt.Time) > jwtExpiryTimeout:
 		http.Error(out, "future token", http.StatusForbidden)
 	default:
 		handler.next.ServeHTTP(out, r)
--- a/node/rpcstack_test.go
+++ b/node/rpcstack_test.go
@ -324,9 +324,9 @@ func TestJWT(t *testing.T) {
 	}
 	expFail := []string{
 		// future
-		fmt.Sprintf("Bearer %v", issueToken(secret, nil, testClaim{"iat": time.Now().Unix() + 6})),
+		fmt.Sprintf("Bearer %v", issueToken(secret, nil, testClaim{"iat": time.Now().Unix() + int64(jwtExpiryTimeout.Seconds()) + 1})),
 		// stale
-		fmt.Sprintf("Bearer %v", issueToken(secret, nil, testClaim{"iat": time.Now().Unix() - 6})),
+		fmt.Sprintf("Bearer %v", issueToken(secret, nil, testClaim{"iat": time.Now().Unix() - int64(jwtExpiryTimeout.Seconds()) - 1})),
 		// wrong algo
 		fmt.Sprintf("Bearer %v", issueToken(secret, jwt.SigningMethodHS512, testClaim{"iat": time.Now().Unix() + 4})),
 		// expired