Add configuration for max token age

host/auth/auth.go

@@ -20,7 +20,7 @@ import (
 )
 
 const (
-	authenticationTokenMaxAgeSeconds = 30 * 86400
+	DefaultAuthenticationTokenMaxAge = 120 * 24 * time.Hour
 )
 
 // Auth allows us to check a username and password, or generate a password for a user.
@@ -32,9 +32,9 @@ type Auth interface {
 	PassFor(user string) string
 }
 
-// New returns a new production Auth based on the given secret and expiration.
-func New(secret []byte) Auth {
-	return &auth{secret: secret, clock: util.RealClock, expiration: time.Second * authenticationTokenMaxAgeSeconds}
+// New returns a new production Auth based on the given secret and max token age.
+func New(secret []byte, authenticationTokenMaxAge time.Duration) Auth {
+	return &auth{secret: secret, clock: util.RealClock, expiration: authenticationTokenMaxAge}
 }
 
 type alwaysAllow struct{}

host/cmd/svr2client/main.go

@@ -120,7 +120,7 @@ func newClient(username string) (*client.SVRClient, error) {
 		return nil, err
 	}
 	c, resp, err := dialer.Dial(u.String(), http.Header{
-		"Authorization": []string{"Basic " + base64.URLEncoding.EncodeToString([]byte(username+":"+auth.New(authBytes).PassFor(username)))},
+		"Authorization": []string{"Basic " + base64.URLEncoding.EncodeToString([]byte(username+":"+auth.New(authBytes, auth.DefaultAuthenticationTokenMaxAge).PassFor(username)))},
 	})
 	if err != nil {
 		return nil, fmt.Errorf("dial %v", err)

host/cmd/svr3client/main.go

@@ -164,7 +164,7 @@ func newWebsocket(username string, hs *hostSet) (*websocket.Conn, error) {
 		return nil, err
 	}
 	c, resp, err := dialer.Dial(u.String(), http.Header{
-		"Authorization": []string{"Basic " + base64.URLEncoding.EncodeToString([]byte(username+":"+auth.New(authBytes).PassFor(username)))},
+		"Authorization": []string{"Basic " + base64.URLEncoding.EncodeToString([]byte(username+":"+auth.New(authBytes, auth.DefaultAuthenticationTokenMaxAge).PassFor(username)))},
 	})
 	if err != nil {
 		return nil, fmt.Errorf("dial %v", err)
@@ -380,7 +380,7 @@ func runAuthHeaders() error {
 	if err != nil {
 		return err
 	}
-	pass := auth.New(authBytes).PassFor(user)
+	pass := auth.New(authBytes, auth.DefaultAuthenticationTokenMaxAge).PassFor(user)
 	log.Printf("USER: %q", user)
 	log.Printf("PASS: %q", pass)
 	log.Printf("HEADERS: Authorization: Basic %s", base64.URLEncoding.EncodeToString([]byte(user+":"+pass)))

host/config/config.go

@@ -14,6 +14,7 @@ import (
 	"go.uber.org/zap/zapcore"
 	"gopkg.in/yaml.v2"
 
+	"github.com/signalapp/svr2/auth"
 	"github.com/signalapp/svr2/util"
 )
 
@@ -49,6 +50,8 @@ type Config struct {
 	// Periodicity/timeout for local liveness checks
 	LocalLivenessCheckPeriod  time.Duration `yaml:"localLivenessCheckPeriod"`
 	LocalLivenessCheckTimeout time.Duration `yaml:"localLivenessCheckTimeout"`
+	// Maximum age for authentication tokens
+	AuthenticationTokenMaxAge time.Duration `yaml:"authenticationTokenMaxAge"`
 }
 
 // validate returns a list of validation errors, or empty if there are no errors.
@@ -145,5 +148,6 @@ func Default() *Config {
 		RecurringRedisPeerDBTTL:   time.Minute * 5,
 		LocalLivenessCheckPeriod:  time.Minute,
 		LocalLivenessCheckTimeout: time.Minute,
+		AuthenticationTokenMaxAge: auth.DefaultAuthenticationTokenMaxAge,
 	}
 }

host/integration/integration_test.go

@@ -187,7 +187,7 @@ func TestServerDelete(t *testing.T) {
 }
 
 func authHeaders(user string) http.Header {
-	authenticator := auth.New([]byte(authSecret))
+	authenticator := auth.New([]byte(authSecret), auth.DefaultAuthenticationTokenMaxAge)
 	headers := http.Header{}
 	headers.Set("Authorization", "Basic "+base64.URLEncoding.EncodeToString([]byte(user+":"+authenticator.PassFor(user))))
 	return headers

host/main.go

@@ -142,7 +142,7 @@ func main() {
 	if err != nil {
 		logger.Fatalf("auth secret invalid base64: %v", err)
 	}
-	authenticator := auth.New(authBytes)
+	authenticator := auth.New(authBytes, hconfig.AuthenticationTokenMaxAge)
 
 	var econfig pb.InitConfig
 	if configBytes, err := os.ReadFile(*econfigPath); err != nil {