Cap refresh chain lifetime via RefreshChainAbsoluteTTL
Sessions had an absolute cap (created_at + SessionAbsoluteTTL) but the JWT path only had per-token TTL on the refresh row, letting a well-behaved client refresh indefinitely. Add chain_started_at to authkit_tokens, copy it forward on every rotation, and reject in RefreshJWT when now > chainStartedAt + RefreshChainAbsoluteTTL. Default 30d, mirroring SessionAbsoluteTTL. Schema, verifier, queries, model, and integration test updated. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
juancwu
parent
d3c5367492
commit
ca5525d4bd
11 changed files with 129 additions and 53 deletions
|
|
@ -75,6 +75,7 @@ func expectedSchema(s Schema) []tableSpec {
|
|||
{"kind", "text", false},
|
||||
{"user_id", "uuid", false},
|
||||
{"chain_id", "text", true},
|
||||
{"chain_started_at", "timestamp with time zone", true},
|
||||
{"consumed_at", "timestamp with time zone", true},
|
||||
{"attempts_remaining", "integer", true},
|
||||
{"created_at", "timestamp with time zone", false},
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue