Bug in handling of non-expiring capability tokens
Closed this issue · 1 comments
NeilMadden commented
The CapabilityController
currently uses Instant.MAX
to create non-expiring timestamps. However, due to a bug in the JDK this will actually be converted to a timestamp in the past and the tokens will still be deleted if stored in the DatabaseTokenStore
.
The code should be updated to either use something like Instant.now().plus(1000, YEARS)
or else to provide a manual conversion from instants to timestamps (the bug recommends using new Timestamp(token.expiry.toEpochMilli())
).
NeilMadden commented
Changed to arbitrary expiry of Epoch + 10,000 years. I am going to revise chapter 9 to use shorter-expiry tokens in a future update so this problem will disappear.