Feat: Increase dynamic API key expiration#10328
Conversation
📝 WalkthroughWalkthroughThe changes add a uniform 60-second buffer to JWT expiration calculations across multiple paths. In app/controllers/general.php, src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php, and src/Appwrite/Platform/Workers/Functions.php, jwtExpiry is now computed as the function timeout plus 60 seconds. This applies to both user-session and API-key JWT generation paths. No other logic, control flow, or public API signatures were modified. Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches
🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
Status, Documentation and Community
|
Security Scan Results for PRDocker Image Scan Results
Source Code Scan Results🎉 No vulnerabilities found! |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🔭 Outside diff range comments (1)
src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php (1)
208-214: Apply a 1min (+60s) buffer to all short‑lived JWT issuances (cold‑start protection)Short note: the repo scan shows several JWTs already use timeout+60, but multiple JWT constructions do not — please either add the +60 buffer where the token TTL is tied to a function/resource timeout (or confirm the current TTLs are intentional).
Files/locations that need attention (from scan):
- src/Appwrite/Platform/Modules/Functions/Workers/Builds.php
- ~lines 586-587: $jwtExpiry = (int)System::getEnv('_APP_COMPUTE_BUILD_TIMEOUT', 900); new JWT(..., $jwtExpiry, 0); — add +60.
- ~line 918: new JWT(..., 900, 0); — change to use 900 + 60 (or a named $jwtExpiry +60).
- src/Appwrite/Platform/Workers/Migrations.php:225
- new JWT(..., 86400, 0) — review (long‑lived API key; if intentional, no change; otherwise apply buffer).
- app/controllers/api/account.php:2724
- new JWT(..., 900, 0) — verify whether this session JWT should include the +60 buffer.
- app/controllers/api/users.php:2464
- new JWT(..., $duration, 0) — confirm what $duration represents and add buffer if it maps to a short‑lived timeout.
- app/controllers/api/projects.php:1761
- new JWT(..., $duration, 0) — same as above.
- src/Appwrite/Auth/Key.php:127-130
- API key / dynamic key JWT construction — confirm TTL semantics and add buffer if applicable.
- Tests and test helpers (examples: tests/e2e/... and tests/unit/...) create JWTs with 900 — update tests if you change production TTL behavior.
Files already using the +60 buffer (for reference):
- src/Appwrite/Platform/Workers/Functions.php (lines ~104 and ~393)
- src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php (lines ~208 and ~217)
- app/controllers/general.php (line ~364)
Suggested minimal change example (Builds.php):
- Before:
$jwtExpiry = (int)System::getEnv('_APP_COMPUTE_BUILD_TIMEOUT', 900);
$jwtObj = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', $jwtExpiry, 0);- After:
$jwtExpiry = (int)System::getEnv('_APP_COMPUTE_BUILD_TIMEOUT', 900) + 60; // 1min extra to account for possible cold‑starts
$jwtObj = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', $jwtExpiry, 0);Action requested: apply the +60 buffer to the short‑lived JWT issuances above (or confirm why each omission is intentional).
🧹 Nitpick comments (5)
app/controllers/general.php (1)
364-371: Adding a 60s leeway to dynamic API key expiry is sensible for cold startsThe buffer aligns token validity with real-world startup delays and should reduce spurious expirations on short timeouts.
To avoid magic numbers and keep consistency across all call sites that build dynamic JWTs, consider centralizing the buffer:
- $jwtExpiry = $resource->getAttribute('timeout', 900) + 60; // 1min extra to account for possible cold-starts + $buffer = (int) System::getEnv('_APP_DYNAMIC_JWT_BUFFER_SECONDS', 60); + $jwtExpiry = (int) $resource->getAttribute('timeout', 900) + $buffer; // buffer to account for possible cold-startssrc/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php (2)
208-214: User-session JWT: 60s buffer looks goodThis should prevent premature expiry when functions cold-start. No functional issues spotted.
To reduce duplication and magic numbers, consider using an env-configured buffer:
- $jwtExpiry = $function->getAttribute('timeout', 900) + 60; // 1min extra to account for possible cold-starts + $buffer = (int) System::getEnv('_APP_DYNAMIC_JWT_BUFFER_SECONDS', 60); + $jwtExpiry = (int) $function->getAttribute('timeout', 900) + $buffer; // buffer to account for possible cold-starts
217-223: Dynamic API key JWT: consistent 60s bufferMatches the user JWT path; good consistency within this file.
Consider centralizing the leeway value and applying light input sanitation:
- $jwtExpiry = $function->getAttribute('timeout', 900) + 60; // 1min extra to account for possible cold-starts + $buffer = (int) System::getEnv('_APP_DYNAMIC_JWT_BUFFER_SECONDS', 60); + $jwtExpiry = (int) $function->getAttribute('timeout', 900) + $buffer; // buffer to account for possible cold-startssrc/Appwrite/Platform/Workers/Functions.php (2)
104-109: User JWT path: +60s buffer is appropriateThis mirrors the HTTP path behavior and helps under cold-starts when JWT is minted on the worker side.
Consider pulling the buffer from an env var for consistency:
- $jwtExpiry = $function->getAttribute('timeout', 900) + 60; // 1min extra to account for possible cold-starts + $buffer = (int) System::getEnv('_APP_DYNAMIC_JWT_BUFFER_SECONDS', 60); + $jwtExpiry = (int) $function->getAttribute('timeout', 900) + $buffer; // buffer to account for possible cold-starts
393-399: Dynamic API key JWT: +60s buffer matches the PR intentGood alignment with the other code paths updating expiry to reduce flakes on short timeouts.
Avoid magic numbers and ensure future consistency:
- $jwtExpiry = $function->getAttribute('timeout', 900) + 60; // 1min extra to account for possible cold-starts + $buffer = (int) System::getEnv('_APP_DYNAMIC_JWT_BUFFER_SECONDS', 60); + $jwtExpiry = (int) $function->getAttribute('timeout', 900) + $buffer; // buffer to account for possible cold-starts
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
⛔ Files ignored due to path filters (1)
composer.lockis excluded by!**/*.lock
📒 Files selected for processing (3)
app/controllers/general.php(1 hunks)src/Appwrite/Platform/Modules/Functions/Http/Executions/Create.php(2 hunks)src/Appwrite/Platform/Workers/Functions.php(2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: Setup & Build Appwrite Image
- GitHub Check: Setup & Build Appwrite Image
- GitHub Check: scan
✨ Benchmark results
⚡ Benchmark Comparison
|
2 participants
What does this PR do?
Ensures dynamic api keys work woth a bit of leeway, useful when timeouts are set to be very short, like 5 seconds, but cold-starts could take some of that time
Test Plan
existing tests should pass
Related PRs and Issues
x
Checklist