Remove unrequired fields from session token, parametrize TTL

http/api/session.go

@@ -145,5 +145,6 @@ type SessionTokenRequest struct {
 	Match  string                 `json:"match"`
 	Remote []string               `json:"remote"`
 	Extra  map[string]interface{} `json:"extra"`
+	TTL    int64                  `json:"ttl_sec"`
 	Token  string                 `json:"token,omitempty"`
 }

http/handler/api/session.go

@@ -3,6 +3,7 @@ package api
 import (
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/datarhei/core/v16/http/api"
 	"github.com/datarhei/core/v16/http/handler/util"
@@ -124,7 +125,7 @@ func (s *SessionHandler) CreateToken(c echo.Context) error {
 			"extra":  req.Extra,
 		}
 
-		request[i].Token = identity.GetServiceSession(data)
+		request[i].Token = identity.GetServiceSession(data, time.Duration(req.TTL)*time.Second)
 	}
 
 	return c.JSON(http.StatusOK, request)

iam/identity/identity.go

@@ -104,7 +104,7 @@ type Verifier interface {
 
 	GetServiceBasicAuth() string
 	GetServiceToken() string
-	GetServiceSession(interface{}) string
+	GetServiceSession(interface{}, time.Duration) string
 
 	IsSuperuser() bool
 }
@@ -427,7 +427,7 @@ func (i *identity) VerifyServiceSession(jwt string) (bool, interface{}, error) {
 	return true, claims["data"], nil
 }
 
-func (i *identity) GetServiceSession(data interface{}) string {
+func (i *identity) GetServiceSession(data interface{}, ttl time.Duration) string {
 	i.lock.RLock()
 	defer i.lock.RUnlock()
 
@@ -440,7 +440,7 @@ func (i *identity) GetServiceSession(data interface{}) string {
 	}
 
 	now := time.Now()
-	accessExpires := now.Add(time.Minute * 10)
+	accessExpires := now.Add(ttl)
 
 	// Create access token
 	accessToken := jwtgo.NewWithClaims(jwtgo.SigningMethodHS256, jwtgo.MapClaims{
@@ -448,8 +448,6 @@ func (i *identity) GetServiceSession(data interface{}) string {
 		"sub":  i.user.Name,
 		"iat":  now.Unix(),
 		"exp":  accessExpires.Unix(),
-		"exi":  uint64(accessExpires.Sub(now).Seconds()),
-		"jti":  uuid.New().String(),
 		"data": data,
 	})