Summary
The remote auth token TTL in src/remote/auth.rs is set to 30 days but the code comment states 24 hours. This is either a bug (TTL should be 24h) or a misleading comment that masks a security design decision.
Code
// auth.rs:15
pub const TOKEN_TTL_SECS: u64 = 30 * 24 * 3600; // 30 days = 2,592,000 seconds
// auth.rs:268
// Check token expiration (24 hours) ← WRONG
let age = now.duration_since(record.created_at).unwrap_or(Duration::MAX);
if age >= Duration::from_secs(TOKEN_TTL_SECS) {
return false;
}Impact
If the intended TTL is 24 hours, tokens live 30x longer than expected. A stolen token remains valid for an entire month, significantly widening the compromise window.
If 30 days is intentional, the comment should be fixed and the security implications documented — a 30-day bearer token for a terminal multiplexer with full shell access is a significant risk.
Severity
High — either the TTL is wrong or the documentation is wrong. Both are security-relevant.
Suggested Fix
- Decide on the correct TTL based on your threat model
- If 24 hours: change
TOKEN_TTL_SECS to 24 * 3600
- If 30 days: fix the comment, and consider adding token rotation or refresh mechanisms
- Consider shorter TTLs with automatic refresh for active sessions
Summary
The remote auth token TTL in
src/remote/auth.rsis set to 30 days but the code comment states 24 hours. This is either a bug (TTL should be 24h) or a misleading comment that masks a security design decision.Code
Impact
If the intended TTL is 24 hours, tokens live 30x longer than expected. A stolen token remains valid for an entire month, significantly widening the compromise window.
If 30 days is intentional, the comment should be fixed and the security implications documented — a 30-day bearer token for a terminal multiplexer with full shell access is a significant risk.
Severity
High — either the TTL is wrong or the documentation is wrong. Both are security-relevant.
Suggested Fix
TOKEN_TTL_SECSto24 * 3600