From 0fde31891bc6b72de81f0e4e6b4bb2352cd0db6d Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Tue, 17 Mar 2026 19:00:09 -0700 Subject: [PATCH] Apply Go's JWT expiry defaults: 10s write, 60s read Go calls v.SetDefault("jwt.signing.expires_after_seconds", 10) and v.SetDefault("jwt.signing.read.expires_after_seconds", 60). Rust defaulted to 0 for both, which meant tokens would never expire when security.toml has a signing key but omits expires_after_seconds. --- seaweed-volume/src/config.rs | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/seaweed-volume/src/config.rs b/seaweed-volume/src/config.rs index 9beee7f50..a2361b4ff 100644 --- a/seaweed-volume/src/config.rs +++ b/seaweed-volume/src/config.rs @@ -957,13 +957,13 @@ pub fn parse_security_config(path: &str) -> SecurityConfig { Section::JwtSigningRead => match key { "key" => cfg.jwt_read_signing_key = value.as_bytes().to_vec(), "expires_after_seconds" => { - cfg.jwt_read_signing_expires = value.parse().unwrap_or(0) + cfg.jwt_read_signing_expires = value.parse().unwrap_or(60) } _ => {} }, Section::JwtSigning => match key { "key" => cfg.jwt_signing_key = value.as_bytes().to_vec(), - "expires_after_seconds" => cfg.jwt_signing_expires = value.parse().unwrap_or(0), + "expires_after_seconds" => cfg.jwt_signing_expires = value.parse().unwrap_or(10), _ => {} }, Section::HttpsClient => match key { @@ -1021,6 +1021,15 @@ pub fn parse_security_config(path: &str) -> SecurityConfig { } } + // Match Go's v.SetDefault: when a signing key is present but + // expires_after_seconds was never specified, apply Go's defaults. + if !cfg.jwt_signing_key.is_empty() && cfg.jwt_signing_expires == 0 { + cfg.jwt_signing_expires = 10; + } + if !cfg.jwt_read_signing_key.is_empty() && cfg.jwt_read_signing_expires == 0 { + cfg.jwt_read_signing_expires = 60; + } + // Override with WEED_ environment variables (matches Go's Viper convention: // prefix WEED_, uppercase, replace . with _). // e.g. WEED_JWT_SIGNING_KEY overrides [jwt.signing] key