stevespringett · stevespringett · May 23, 2024 · Jan 26, 2024
diff --git a/alpine-common/src/main/java/alpine/Config.java b/alpine-common/src/main/java/alpine/Config.java
@@ -181,7 +181,8 @@ public enum AlpineKey implements Key {
         CORS_ALLOW_CREDENTIALS                 ("alpine.cors.allow.credentials",     true),
         CORS_MAX_AGE                           ("alpine.cors.max.age",               3600),
         WATCHDOG_LOGGING_INTERVAL              ("alpine.watchdog.logging.interval",  0),
-        API_KEY_PREFIX                         ("alpine.api.key.prefix",             "alpine_");
+        API_KEY_PREFIX                         ("alpine.api.key.prefix",             "alpine_"),
+        AUTH_JWT_TTL_SECONDS                   ("alpine.auth.jwt.ttl.seconds",       7 * 24 * 60);
 
 
         private String propertyName;

diff --git a/alpine-server/src/main/java/alpine/server/auth/JsonWebToken.java b/alpine-server/src/main/java/alpine/server/auth/JsonWebToken.java
@@ -130,13 +130,30 @@ public String createToken(final Principal principal, final List<Permission> perm
      * @return a String representation of the generated token
      * @since 1.8.0
      */
-    public String createToken(final Principal principal, final List<Permission> permissions, final IdentityProvider identityProvider) {
-        final Date today = new Date();
+    public String createToken(final Principal principal, final List<Permission> permissions,
+            final IdentityProvider identityProvider) {
+        final int ttl = Config.getInstance().getPropertyAsInt(Config.AlpineKey.AUTH_JWT_TTL_SECONDS);
+        return createToken(principal, permissions, identityProvider, ttl);
+    }
+
+    /**
+     * Creates a new JWT for the specified principal. Token is signed using
+     * the SecretKey with an HMAC 256 algorithm.
+     *
+     * @param principal the Principal to create the token for
+     * @param permissions the effective list of permissions for the principal
+     * @param identityProvider the identity provider the principal was authenticated with. If null, it will be derived from principal
+     * @param ttlSeconds the token time-to-live in seconds
+     * @return a String representation of the generated token
+     * @since 2.2.6
+     */
+    public String createToken(final Principal principal, final List<Permission> permissions, final IdentityProvider identityProvider, final int ttlSeconds) {
+        final Date now = new Date();
         final JwtBuilder jwtBuilder = Jwts.builder();
         jwtBuilder.setSubject(principal.getName());
         jwtBuilder.setIssuer(ISSUER);
-        jwtBuilder.setIssuedAt(today);
-        jwtBuilder.setExpiration(addDays(today, 7));
+        jwtBuilder.setIssuedAt(now);
+        jwtBuilder.setExpiration(addSeconds(now, ttlSeconds));
         if (permissions != null) {
             jwtBuilder.claim("permissions", permissions.stream()
                     .map(Permission::getName)
@@ -203,14 +220,14 @@ public boolean validateToken(final String token) {
     /**
      * Create a new future Date from the specified Date.
      *
-     * @param date The date to base the future date from
-     * @param days The number of dates to + offset
+     * @param date    The date to base the future date from
+     * @param seconds The number of seconds to + offset
      * @return a future date
      */
-    private Date addDays(final Date date, final int days) {
+    private Date addSeconds(final Date date, final int seconds) {
         final Calendar cal = Calendar.getInstance();
         cal.setTime(date);
-        cal.add(Calendar.DATE, days); //minus number would decrement the days
+        cal.add(Calendar.SECOND, seconds); //minus number would decrement the seconds
         return cal.getTime();
     }