Add a maximum ttl to auth:login

.kuzzlerc.sample

@@ -149,6 +149,10 @@
     //   * gracePeriod:
     //      Duration in ms during which a renewed jwt is still
     //      considered valid
+    //   * maxTTL:
+    //      Maximum duration in milliseconds a token can be requested
+    //      to be valid.
+    //      If set to -1 (default), no maximum duration is set.
     //   * secret:
     //      String or buffer data containing either the secret for HMAC
     //      algorithms, or the PEM encoded private key for RSA and ECDSA.
@@ -158,6 +162,7 @@
       "algorithm": "HS256",
       "expiresIn": "1h",
       "gracePeriod": 1000,
+      "maxTTL": -1,
       "secret": null
     },
     // [default]

default.config.js

@@ -80,6 +80,7 @@ module.exports = {
       algorithm: 'HS256',
       expiresIn: '1h',
       gracePeriod: 1000,
+      maxTTL: -1,
       secret: null
     },
     default: {

lib/api/core/models/repositories/tokenRepository.js

@@ -29,6 +29,7 @@ const
   Token = require('../security/token'),
   Repository = require('./repository'),
   {
+    BadRequestError,
     InternalError: KuzzleInternalError,
     UnauthorizedError
   } = require('kuzzle-common-objects').errors;
@@ -71,12 +72,10 @@ class TokenRepository extends Repository {
   /**
    * @param {User} user
    * @param {Request} request
-   * @param {object} opts
+   * @param {object} options
    * @returns {*}
    */
-  generateToken(user, request, opts) {
-    const options = opts || {};
-
+  generateToken(user, request, options = {}) {
     if (!user || user._id === null) {
       return Bluebird.reject(new KuzzleInternalError('Unknown User : cannot generate token'));
     }
@@ -94,6 +93,12 @@ class TokenRepository extends Repository {
     }
 
     const expiresIn = parseTimespan(options.expiresIn);
+
+    if (this.kuzzle.config.security.jwt.maxTTL > -1
+      && expiresIn > this.kuzzle.config.security.jwt.maxTTL) {
+      return Bluebird.reject(new BadRequestError('expiresIn value exceeds maximum allowed value'));
+    }
+
     let encodedToken;
 
     try {

test/api/core/models/repositories/tokenRepository.test.js

@@ -10,6 +10,7 @@ const
   RequestContext = require('kuzzle-common-objects').models.RequestContext,
   TokenRepository = require('../../../../../lib/api/core/models/repositories/tokenRepository'),
   {
+    BadRequestError,
     InternalError: KuzzleInternalError,
     UnauthorizedError
   } = require('kuzzle-common-objects').errors;
@@ -198,6 +199,53 @@ describe('Test: repositories/tokenRepository', () => {
       return should(tokenRepository.generateToken(user, request))
         .be.rejectedWith(KuzzleInternalError, {message: 'Unable to generate token for unknown user'});
     });
+
+    it('should allow a big ttl if no maxTTL is set', () => {
+      const user = new User();
+      user._id = 'id';
+
+      const request = new Request({}, {
+        user,
+        connectionId: 'connectionId'
+      });
+
+      return tokenRepository.generateToken(user, request, {expiresIn: '1000y'})
+        .then(token => {
+          should(token).be.an.instanceOf(Token);
+        });
+    });
+
+    it('should allow a ttl lower than the maxTTL', () => {
+      const user = new User();
+      user._id = 'id';
+
+      const request = new Request({}, {
+        user,
+        connectionId: 'connectionId'
+      });
+
+      kuzzle.config.security.jwt.maxTTL = 42000;
+
+      return tokenRepository.generateToken(user, request, {expiresIn: '30s'})
+        .then(token => {
+          should(token).be.an.instanceOf(Token);
+        });
+    });
+
+    it('should reject if the ttl exceeds the maxTTL', () => {
+      const user = new User();
+      user._id = 'id';
+
+      const request = new Request({}, {
+        user,
+        connectionId: 'connectionId'
+      });
+
+      kuzzle.config.security.jwt.maxTTL = 42000;
+
+      return should(tokenRepository.generateToken(user, request, {expiresIn: '1m'}))
+        .be.rejectedWith(BadRequestError, {message: 'expiresIn value exceeds maximum allowed value'});
+    });
   });
 
   describe('#serializeToCache', () => {