Menu

#158 feat: credential TTL — auto-expire persistent credentials after configurable duration

closed
nobody
None
2026-04-28
2026-04-20
Anonymous
No

Originally created by: kumaakh

Summary

Persistent credentials live forever until explicitly deleted. A forgotten or leaked credential has unlimited lifetime. Adding TTL support reduces blast radius.

Proposed API

```
credential_store_set name=session_token ttl_seconds=3600 # expires in 1 hour
credential_store_set name=long_lived_key ttl_seconds=604800 # expires in 7 days
credential_store_set name=permanent_key # no TTL (current default)
```

Behaviour

  • Expiry timestamp stored alongside the credential at set time
  • At resolution time, if now > expiry: reject with error "Credential 'session_token' has expired. Re-set with credential_store_set."
  • credential_store_list shows expiry timestamp and remaining time for each credential
  • Background sweep (on server startup or periodic): purge expired persistent credentials from disk
  • Session-scoped credentials already expire on server restart — TTL only applies to persistent tier

Notes

  • TTL is set once at creation; credential_store_set on an existing name resets the clock
  • No silent expiry — always explicit error so the caller knows to refresh
  • Pairs well with credential scoping (issue #B) for defense-in-depth

🤖 Generated with Claude Code

Discussion

  • Anonymous

    Anonymous - 2026-04-23

    Originally posted by: kumaakh

    Technical direction: Add TTL as a first-class field in the persistent credential store.

    Approach:

    • Add ttl_seconds (optional) to credential_store_set schema in src/tools/credential-store-set.ts.
    • In src/services/credential-store.ts, extend the stored credential object to include expiresAt?: string (ISO timestamp). Store it alongside the value at set time.
    • At resolution time (wherever credentials are read), check if (expiresAt && Date.now() > new Date(expiresAt).getTime()) → throw Error('Credential X has expired...').
    • In credential_store_list (src/tools/credential-store-list.ts), show expiresAt and computed remaining time for each credential.
    • On server startup or in credential_store_list, sweep and purge expired persistent credentials from disk (can reuse cleanupStaleTasks pattern from src/services/task-cleanup.ts).
    • credential_store_set on an existing name resets the clock (replaces expiresAt).

    Key files:

    • src/tools/credential-store-set.ts — add ttl_seconds to schema
    • src/services/credential-store.ts — persist expiresAt and enforce at read time
    • src/tools/credential-store-list.ts — display remaining TTL
    • src/index.ts — startup sweep for expired credentials
     

  • Anonymous

    Anonymous - 2026-04-28

    Originally posted by: kumaakh

    Addressed in PR [#183] (sprint/session-lifecycle-oob-fix → main).

    Changes shipped: Credential TTL — auto-expire persistent credentials with clear error on expiry.

    PR is open for testing — will be merged once testing is complete.

     

    Related

    Tickets: #183

  • Anonymous

    Anonymous - 2026-04-28

    Ticket changed by: kumaakh

    • status: open --> closed
     

Log in to post a comment.

MongoDB Logo MongoDB