Refactor the jwtvendor expiry and set up upper limit

Signed-off-by: Ryan Liang <[email protected]>
peternied · Aug 23, 2023 · ca95380 · ca95380
1 parent 884f7a1
commit ca95380
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java b/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java
@@ -42,6 +42,8 @@ public class JwtVendor {
     private final JoseJwtProducer jwtProducer;
     private final LongSupplier timeProvider;
     private final EncryptionDecryptionUtil encryptionDecryptionUtil;
+    private final Integer defaultExpirySeconds = 300;
+    private final Integer maxExpirySeconds = 600;
 
     public JwtVendor(final Settings settings, final Optional<LongSupplier> timeProvider) {
         JoseJwtProducer jwtProducer = new JoseJwtProducer();
@@ -126,7 +128,11 @@ public String createJwt(
 
         jwtClaims.setNotBefore(nowAsMillis);
 
-        expirySeconds = (expirySeconds == null) ? 300 : expirySeconds;
+        if (expirySeconds > maxExpirySeconds) {
+            throw new Exception("The provided expiration time exceeds the maximum allowed duration of " + maxExpirySeconds + " seconds");
+        }
+
+        expirySeconds = (expirySeconds == null) ? defaultExpirySeconds : Math.min(expirySeconds, maxExpirySeconds);
         if (expirySeconds <= 0) {
             throw new Exception("The expiration time should be a positive integer");
         }