fix: add jwt_cache_max_lifetime as an in-database configuration opt…

…ion (#3102)
PostgREST · Dec 12, 2023 · 4fb521c · 4fb521c
1 parent e31363a
commit 4fb521c
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
  - #3054, Fix not allowing special characters in JSON keys - @laurenceisla
  - #2344, Replace JSON parser error with a clearer generic message - @develop7
+ - #3100, Add missing in-database configuration option for `jwt-cache-max-lifetime` - @laurenceisla
 
 ## [12.0.0] - 2023-12-01
 

diff --git a/src/PostgREST/Config/Database.hs b/src/PostgREST/Config/Database.hs
@@ -60,6 +60,7 @@ dbSettingsNames =
   ,"jwt_role_claim_key"
   ,"jwt_secret"
   ,"jwt_secret_is_base64"
+  ,"jwt_cache_max_lifetime"
   ,"openapi_mode"
   ,"openapi_security_active"
   ,"openapi_server_proxy_uri"

diff --git a/test/io/configs/expected/no-defaults-with-db-other-authenticator.config b/test/io/configs/expected/no-defaults-with-db-other-authenticator.config
@@ -22,7 +22,7 @@ jwt-aud = "https://otherexample.org"
 jwt-role-claim-key = ".\"other\".\"pre_config_role\""
 jwt-secret = "ODERREALLYREALLYREALLYREALLYVERYSAFE"
 jwt-secret-is-base64 = true
-jwt-cache-max-lifetime = 86400
+jwt-cache-max-lifetime = 7200
 log-level = "info"
 openapi-mode = "disabled"
 openapi-security-active = false

diff --git a/test/io/configs/expected/no-defaults-with-db.config b/test/io/configs/expected/no-defaults-with-db.config
@@ -22,7 +22,7 @@ jwt-aud = "https://example.org"
 jwt-role-claim-key = ".\"a\".\"role\""
 jwt-secret = "OVERRIDE=REALLY=REALLY=REALLY=REALLY=VERY=SAFE"
 jwt-secret-is-base64 = false
-jwt-cache-max-lifetime = 86400
+jwt-cache-max-lifetime = 3600
 log-level = "info"
 openapi-mode = "ignore-privileges"
 openapi-security-active = true

diff --git a/test/io/db_config.sql b/test/io/db_config.sql
@@ -6,6 +6,7 @@ ALTER ROLE db_config_authenticator SET pgrst.openapi_server_proxy_uri = 'https:/
 ALTER ROLE db_config_authenticator SET pgrst.jwt_secret = 'REALLY=REALLY=REALLY=REALLY=VERY=SAFE';
 ALTER ROLE db_config_authenticator SET pgrst.jwt_secret_is_base64 = 'false';
 ALTER ROLE db_config_authenticator SET pgrst.jwt_role_claim_key = '."a"."role"';
+ALTER ROLE db_config_authenticator SET pgrst.jwt_cache_max_lifetime = '3600';
 ALTER ROLE db_config_authenticator SET pgrst.db_aggregates_enabled = 'false';
 ALTER ROLE db_config_authenticator SET pgrst.db_anon_role = 'anonymous';
 ALTER ROLE db_config_authenticator SET pgrst.db_tx_end = 'commit-allow-override';
@@ -54,6 +55,7 @@ ALTER ROLE other_authenticator SET pgrst.jwt_aud = 'https://otherexample.org';
 ALTER ROLE other_authenticator SET pgrst.openapi_server_proxy_uri = 'https://otherexample.org/api';
 ALTER ROLE other_authenticator SET pgrst.jwt_secret = 'ODERREALLYREALLYREALLYREALLYVERYSAFE';
 ALTER ROLE other_authenticator SET pgrst.jwt_secret_is_base64 = 'true';
+ALTER ROLE other_authenticator SET pgrst.jwt_cache_max_lifetime = '7200';
 ALTER ROLE other_authenticator SET pgrst.db_aggregates_enabled = 'false';
 ALTER ROLE other_authenticator SET pgrst.db_schemas = 'test, other_tenant1, other_tenant2';
 ALTER ROLE other_authenticator SET pgrst.db_root_spec = 'other_root';