Refactor the jwtvendor expiry and set up upper limit

RyanL1997 · RyanL1997 · commit ca95380aaa38 · 2023-08-23T16:12:46.000-07:00
Signed-off-by: Ryan Liang &lt;jiallian@amazon.com&gt;
diff --git a/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java b/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java
@@ -42,6 +42,8 @@ public class JwtVendor {
     private final JoseJwtProducer jwtProducer;
     private final LongSupplier timeProvider;
     private final EncryptionDecryptionUtil encryptionDecryptionUtil;
+    private final Integer defaultExpirySeconds = 300;
+    private final Integer maxExpirySeconds = 600;
 
     public JwtVendor(final Settings settings, final Optional<LongSupplier> timeProvider) {
         JoseJwtProducer jwtProducer = new JoseJwtProducer();
@@ -126,7 +128,11 @@ public String createJwt(
 
         jwtClaims.setNotBefore(nowAsMillis);
 
-        expirySeconds = (expirySeconds == null) ? 300 : expirySeconds;
+        if (expirySeconds > maxExpirySeconds) {
+            throw new Exception("The provided expiration time exceeds the maximum allowed duration of " + maxExpirySeconds + " seconds");
+        }
+
+        expirySeconds = (expirySeconds == null) ? defaultExpirySeconds : Math.min(expirySeconds, maxExpirySeconds);
         if (expirySeconds <= 0) {
             throw new Exception("The expiration time should be a positive integer");
         }
