diff --git a/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts b/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
index 9199c21f14..414f8534c5 100644
--- a/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
@@ -79,44 +79,44 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
params: z.object({
identityId: z.string().trim().describe(AWS_AUTH.ATTACH.identityId)
}),
- body: z.object({
- stsEndpoint: z
- .string()
- .trim()
- .min(1)
- .default("https://sts.amazonaws.com/")
- .describe(AWS_AUTH.ATTACH.stsEndpoint),
- allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.ATTACH.allowedPrincipalArns),
- allowedAccountIds: validateAccountIds.describe(AWS_AUTH.ATTACH.allowedAccountIds),
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
- .describe(AWS_AUTH.ATTACH.accessTokenTrustedIps),
- accessTokenTTL: z
- .number()
- .int()
- .min(1)
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenTTL must have a non zero number"
- })
- .default(2592000)
- .describe(AWS_AUTH.ATTACH.accessTokenTTL),
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .default(2592000)
- .describe(AWS_AUTH.ATTACH.accessTokenMaxTTL),
- accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AWS_AUTH.ATTACH.accessTokenNumUsesLimit)
- }),
+ body: z
+ .object({
+ stsEndpoint: z
+ .string()
+ .trim()
+ .min(1)
+ .default("https://sts.amazonaws.com/")
+ .describe(AWS_AUTH.ATTACH.stsEndpoint),
+ allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.ATTACH.allowedPrincipalArns),
+ allowedAccountIds: validateAccountIds.describe(AWS_AUTH.ATTACH.allowedAccountIds),
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+ .describe(AWS_AUTH.ATTACH.accessTokenTrustedIps),
+ accessTokenTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(AWS_AUTH.ATTACH.accessTokenTTL),
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .min(1)
+ .max(315360000)
+ .default(2592000)
+ .describe(AWS_AUTH.ATTACH.accessTokenMaxTTL),
+ accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AWS_AUTH.ATTACH.accessTokenNumUsesLimit)
+ })
+ .refine(
+ (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityAwsAuth: IdentityAwsAuthsSchema
@@ -172,30 +172,33 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
params: z.object({
identityId: z.string().describe(AWS_AUTH.UPDATE.identityId)
}),
- body: z.object({
- stsEndpoint: z.string().trim().min(1).optional().describe(AWS_AUTH.UPDATE.stsEndpoint),
- allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.UPDATE.allowedPrincipalArns),
- allowedAccountIds: validateAccountIds.describe(AWS_AUTH.UPDATE.allowedAccountIds),
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .optional()
- .describe(AWS_AUTH.UPDATE.accessTokenTrustedIps),
- accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AWS_AUTH.UPDATE.accessTokenTTL),
- accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AWS_AUTH.UPDATE.accessTokenNumUsesLimit),
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .optional()
- .describe(AWS_AUTH.UPDATE.accessTokenMaxTTL)
- }),
+ body: z
+ .object({
+ stsEndpoint: z.string().trim().min(1).optional().describe(AWS_AUTH.UPDATE.stsEndpoint),
+ allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.UPDATE.allowedPrincipalArns),
+ allowedAccountIds: validateAccountIds.describe(AWS_AUTH.UPDATE.allowedAccountIds),
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .optional()
+ .describe(AWS_AUTH.UPDATE.accessTokenTrustedIps),
+ accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AWS_AUTH.UPDATE.accessTokenTTL),
+ accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AWS_AUTH.UPDATE.accessTokenNumUsesLimit),
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .max(315360000)
+ .min(0)
+ .optional()
+ .describe(AWS_AUTH.UPDATE.accessTokenMaxTTL)
+ })
+ .refine(
+ (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityAwsAuth: IdentityAwsAuthsSchema
diff --git a/backend/src/server/routes/v1/identity-azure-auth-router.ts b/backend/src/server/routes/v1/identity-azure-auth-router.ts
index 6aee4504f5..f46fb57ca6 100644
--- a/backend/src/server/routes/v1/identity-azure-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-azure-auth-router.ts
@@ -76,39 +76,44 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
params: z.object({
identityId: z.string().trim().describe(AZURE_AUTH.LOGIN.identityId)
}),
- body: z.object({
- tenantId: z.string().trim().describe(AZURE_AUTH.ATTACH.tenantId),
- resource: z.string().trim().describe(AZURE_AUTH.ATTACH.resource),
- allowedServicePrincipalIds: validateAzureAuthField.describe(AZURE_AUTH.ATTACH.allowedServicePrincipalIds),
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
- .describe(AZURE_AUTH.ATTACH.accessTokenTrustedIps),
- accessTokenTTL: z
- .number()
- .int()
- .min(1)
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenTTL must have a non zero number"
- })
- .default(2592000)
- .describe(AZURE_AUTH.ATTACH.accessTokenTTL),
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .default(2592000)
- .describe(AZURE_AUTH.ATTACH.accessTokenMaxTTL),
- accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AZURE_AUTH.ATTACH.accessTokenNumUsesLimit)
- }),
+ body: z
+ .object({
+ tenantId: z.string().trim().describe(AZURE_AUTH.ATTACH.tenantId),
+ resource: z.string().trim().describe(AZURE_AUTH.ATTACH.resource),
+ allowedServicePrincipalIds: validateAzureAuthField.describe(AZURE_AUTH.ATTACH.allowedServicePrincipalIds),
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+ .describe(AZURE_AUTH.ATTACH.accessTokenTrustedIps),
+ accessTokenTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(AZURE_AUTH.ATTACH.accessTokenTTL),
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(AZURE_AUTH.ATTACH.accessTokenMaxTTL),
+ accessTokenNumUsesLimit: z
+ .number()
+ .int()
+ .min(0)
+ .default(0)
+ .describe(AZURE_AUTH.ATTACH.accessTokenNumUsesLimit)
+ })
+ .refine(
+ (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityAzureAuth: IdentityAzureAuthsSchema
@@ -163,32 +168,40 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
params: z.object({
identityId: z.string().trim().describe(AZURE_AUTH.UPDATE.identityId)
}),
- body: z.object({
- tenantId: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.tenantId),
- resource: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.resource),
- allowedServicePrincipalIds: validateAzureAuthField
- .optional()
- .describe(AZURE_AUTH.UPDATE.allowedServicePrincipalIds),
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .optional()
- .describe(AZURE_AUTH.UPDATE.accessTokenTrustedIps),
- accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AZURE_AUTH.UPDATE.accessTokenTTL),
- accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AZURE_AUTH.UPDATE.accessTokenNumUsesLimit),
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .optional()
- .describe(AZURE_AUTH.UPDATE.accessTokenMaxTTL)
- }),
+ body: z
+ .object({
+ tenantId: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.tenantId),
+ resource: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.resource),
+ allowedServicePrincipalIds: validateAzureAuthField
+ .optional()
+ .describe(AZURE_AUTH.UPDATE.allowedServicePrincipalIds),
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .optional()
+ .describe(AZURE_AUTH.UPDATE.accessTokenTrustedIps),
+ accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AZURE_AUTH.UPDATE.accessTokenTTL),
+ accessTokenNumUsesLimit: z
+ .number()
+ .int()
+ .min(0)
+ .optional()
+ .describe(AZURE_AUTH.UPDATE.accessTokenNumUsesLimit),
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .max(315360000)
+ .min(0)
+ .optional()
+ .describe(AZURE_AUTH.UPDATE.accessTokenMaxTTL)
+ })
+ .refine(
+ (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityAzureAuth: IdentityAzureAuthsSchema
diff --git a/backend/src/server/routes/v1/identity-gcp-auth-router.ts b/backend/src/server/routes/v1/identity-gcp-auth-router.ts
index 88c5af45fa..057458bb2c 100644
--- a/backend/src/server/routes/v1/identity-gcp-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-gcp-auth-router.ts
@@ -74,40 +74,40 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
params: z.object({
identityId: z.string().trim().describe(GCP_AUTH.ATTACH.identityId)
}),
- body: z.object({
- type: z.enum(["iam", "gce"]),
- allowedServiceAccounts: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedServiceAccounts),
- allowedProjects: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedProjects),
- allowedZones: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedZones),
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
- .describe(GCP_AUTH.ATTACH.accessTokenTrustedIps),
- accessTokenTTL: z
- .number()
- .int()
- .min(1)
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenTTL must have a non zero number"
- })
- .default(2592000)
- .describe(GCP_AUTH.ATTACH.accessTokenTTL),
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .default(2592000)
- .describe(GCP_AUTH.ATTACH.accessTokenMaxTTL),
- accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(GCP_AUTH.ATTACH.accessTokenNumUsesLimit)
- }),
+ body: z
+ .object({
+ type: z.enum(["iam", "gce"]),
+ allowedServiceAccounts: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedServiceAccounts),
+ allowedProjects: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedProjects),
+ allowedZones: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedZones),
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+ .describe(GCP_AUTH.ATTACH.accessTokenTrustedIps),
+ accessTokenTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(GCP_AUTH.ATTACH.accessTokenTTL),
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(GCP_AUTH.ATTACH.accessTokenMaxTTL),
+ accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(GCP_AUTH.ATTACH.accessTokenNumUsesLimit)
+ })
+ .refine(
+ (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityGcpAuth: IdentityGcpAuthsSchema
@@ -164,31 +164,34 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
params: z.object({
identityId: z.string().trim().describe(GCP_AUTH.UPDATE.identityId)
}),
- body: z.object({
- type: z.enum(["iam", "gce"]).optional(),
- allowedServiceAccounts: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedServiceAccounts),
- allowedProjects: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedProjects),
- allowedZones: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedZones),
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .optional()
- .describe(GCP_AUTH.UPDATE.accessTokenTrustedIps),
- accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(GCP_AUTH.UPDATE.accessTokenTTL),
- accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(GCP_AUTH.UPDATE.accessTokenNumUsesLimit),
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .optional()
- .describe(GCP_AUTH.UPDATE.accessTokenMaxTTL)
- }),
+ body: z
+ .object({
+ type: z.enum(["iam", "gce"]).optional(),
+ allowedServiceAccounts: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedServiceAccounts),
+ allowedProjects: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedProjects),
+ allowedZones: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedZones),
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .optional()
+ .describe(GCP_AUTH.UPDATE.accessTokenTrustedIps),
+ accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(GCP_AUTH.UPDATE.accessTokenTTL),
+ accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(GCP_AUTH.UPDATE.accessTokenNumUsesLimit),
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .optional()
+ .describe(GCP_AUTH.UPDATE.accessTokenMaxTTL)
+ })
+ .refine(
+ (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityGcpAuth: IdentityGcpAuthsSchema
diff --git a/backend/src/server/routes/v1/identity-jwt-auth-router.ts b/backend/src/server/routes/v1/identity-jwt-auth-router.ts
index d60bb969da..2950fc72da 100644
--- a/backend/src/server/routes/v1/identity-jwt-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-jwt-auth-router.ts
@@ -34,23 +34,12 @@ const CreateBaseSchema = z.object({
.min(1)
.default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
.describe(JWT_AUTH.ATTACH.accessTokenTrustedIps),
- accessTokenTTL: z
- .number()
- .int()
- .min(1)
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenTTL must have a non zero number"
- })
- .default(2592000)
- .describe(JWT_AUTH.ATTACH.accessTokenTTL),
+ accessTokenTTL: z.number().int().min(0).max(315360000).default(2592000).describe(JWT_AUTH.ATTACH.accessTokenTTL),
accessTokenMaxTTL: z
.number()
.int()
+ .min(0)
.max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
.default(2592000)
.describe(JWT_AUTH.ATTACH.accessTokenMaxTTL),
accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(JWT_AUTH.ATTACH.accessTokenNumUsesLimit)
@@ -70,23 +59,12 @@ const UpdateBaseSchema = z
.min(1)
.default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
.describe(JWT_AUTH.UPDATE.accessTokenTrustedIps),
- accessTokenTTL: z
- .number()
- .int()
- .min(1)
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenTTL must have a non zero number"
- })
- .default(2592000)
- .describe(JWT_AUTH.UPDATE.accessTokenTTL),
+ accessTokenTTL: z.number().int().min(0).max(315360000).default(2592000).describe(JWT_AUTH.UPDATE.accessTokenTTL),
accessTokenMaxTTL: z
.number()
.int()
+ .min(0)
.max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
.default(2592000)
.describe(JWT_AUTH.UPDATE.accessTokenMaxTTL),
accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(JWT_AUTH.UPDATE.accessTokenNumUsesLimit)
diff --git a/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts b/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
index 3a71ba7a24..3b30251794 100644
--- a/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
@@ -87,47 +87,47 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
params: z.object({
identityId: z.string().trim().describe(KUBERNETES_AUTH.ATTACH.identityId)
}),
- body: z.object({
- kubernetesHost: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.kubernetesHost),
- caCert: z.string().trim().default("").describe(KUBERNETES_AUTH.ATTACH.caCert),
- tokenReviewerJwt: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.tokenReviewerJwt),
- allowedNamespaces: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNamespaces), // TODO: validation
- allowedNames: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNames),
- allowedAudience: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedAudience),
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
- .describe(KUBERNETES_AUTH.ATTACH.accessTokenTrustedIps),
- accessTokenTTL: z
- .number()
- .int()
- .min(1)
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenTTL must have a non zero number"
- })
- .default(2592000)
- .describe(KUBERNETES_AUTH.ATTACH.accessTokenTTL),
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .default(2592000)
- .describe(KUBERNETES_AUTH.ATTACH.accessTokenMaxTTL),
- accessTokenNumUsesLimit: z
- .number()
- .int()
- .min(0)
- .default(0)
- .describe(KUBERNETES_AUTH.ATTACH.accessTokenNumUsesLimit)
- }),
+ body: z
+ .object({
+ kubernetesHost: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.kubernetesHost),
+ caCert: z.string().trim().default("").describe(KUBERNETES_AUTH.ATTACH.caCert),
+ tokenReviewerJwt: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.tokenReviewerJwt),
+ allowedNamespaces: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNamespaces), // TODO: validation
+ allowedNames: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNames),
+ allowedAudience: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedAudience),
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+ .describe(KUBERNETES_AUTH.ATTACH.accessTokenTrustedIps),
+ accessTokenTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(KUBERNETES_AUTH.ATTACH.accessTokenTTL),
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(KUBERNETES_AUTH.ATTACH.accessTokenMaxTTL),
+ accessTokenNumUsesLimit: z
+ .number()
+ .int()
+ .min(0)
+ .default(0)
+ .describe(KUBERNETES_AUTH.ATTACH.accessTokenNumUsesLimit)
+ })
+ .refine(
+ (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
@@ -183,44 +183,47 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
params: z.object({
identityId: z.string().describe(KUBERNETES_AUTH.UPDATE.identityId)
}),
- body: z.object({
- kubernetesHost: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.kubernetesHost),
- caCert: z.string().trim().optional().describe(KUBERNETES_AUTH.UPDATE.caCert),
- tokenReviewerJwt: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.tokenReviewerJwt),
- allowedNamespaces: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNamespaces), // TODO: validation
- allowedNames: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNames),
- allowedAudience: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedAudience),
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .optional()
- .describe(KUBERNETES_AUTH.UPDATE.accessTokenTrustedIps),
- accessTokenTTL: z
- .number()
- .int()
- .min(0)
- .max(315360000)
- .optional()
- .describe(KUBERNETES_AUTH.UPDATE.accessTokenTTL),
- accessTokenNumUsesLimit: z
- .number()
- .int()
- .min(0)
- .optional()
- .describe(KUBERNETES_AUTH.UPDATE.accessTokenNumUsesLimit),
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .optional()
- .describe(KUBERNETES_AUTH.UPDATE.accessTokenMaxTTL)
- }),
+ body: z
+ .object({
+ kubernetesHost: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.kubernetesHost),
+ caCert: z.string().trim().optional().describe(KUBERNETES_AUTH.UPDATE.caCert),
+ tokenReviewerJwt: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.tokenReviewerJwt),
+ allowedNamespaces: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNamespaces), // TODO: validation
+ allowedNames: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNames),
+ allowedAudience: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedAudience),
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .optional()
+ .describe(KUBERNETES_AUTH.UPDATE.accessTokenTrustedIps),
+ accessTokenTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .optional()
+ .describe(KUBERNETES_AUTH.UPDATE.accessTokenTTL),
+ accessTokenNumUsesLimit: z
+ .number()
+ .int()
+ .min(0)
+ .optional()
+ .describe(KUBERNETES_AUTH.UPDATE.accessTokenNumUsesLimit),
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .optional()
+ .describe(KUBERNETES_AUTH.UPDATE.accessTokenMaxTTL)
+ })
+ .refine(
+ (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
diff --git a/backend/src/server/routes/v1/identity-oidc-auth-router.ts b/backend/src/server/routes/v1/identity-oidc-auth-router.ts
index 280dbc5d5d..431ed3f4f4 100644
--- a/backend/src/server/routes/v1/identity-oidc-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-oidc-auth-router.ts
@@ -87,42 +87,42 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
params: z.object({
identityId: z.string().trim().describe(OIDC_AUTH.ATTACH.identityId)
}),
- body: z.object({
- oidcDiscoveryUrl: z.string().url().min(1).describe(OIDC_AUTH.ATTACH.oidcDiscoveryUrl),
- caCert: z.string().trim().default("").describe(OIDC_AUTH.ATTACH.caCert),
- boundIssuer: z.string().min(1).describe(OIDC_AUTH.ATTACH.boundIssuer),
- boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.ATTACH.boundAudiences),
- boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.boundClaims),
- boundSubject: z.string().optional().default("").describe(OIDC_AUTH.ATTACH.boundSubject),
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
- .describe(OIDC_AUTH.ATTACH.accessTokenTrustedIps),
- accessTokenTTL: z
- .number()
- .int()
- .min(1)
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenTTL must have a non zero number"
- })
- .default(2592000)
- .describe(OIDC_AUTH.ATTACH.accessTokenTTL),
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .default(2592000)
- .describe(OIDC_AUTH.ATTACH.accessTokenMaxTTL),
- accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.ATTACH.accessTokenNumUsesLimit)
- }),
+ body: z
+ .object({
+ oidcDiscoveryUrl: z.string().url().min(1).describe(OIDC_AUTH.ATTACH.oidcDiscoveryUrl),
+ caCert: z.string().trim().default("").describe(OIDC_AUTH.ATTACH.caCert),
+ boundIssuer: z.string().min(1).describe(OIDC_AUTH.ATTACH.boundIssuer),
+ boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.ATTACH.boundAudiences),
+ boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.boundClaims),
+ boundSubject: z.string().optional().default("").describe(OIDC_AUTH.ATTACH.boundSubject),
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+ .describe(OIDC_AUTH.ATTACH.accessTokenTrustedIps),
+ accessTokenTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(OIDC_AUTH.ATTACH.accessTokenTTL),
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(OIDC_AUTH.ATTACH.accessTokenMaxTTL),
+ accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.ATTACH.accessTokenNumUsesLimit)
+ })
+ .refine(
+ (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityOidcAuth: IdentityOidcAuthResponseSchema
@@ -202,26 +202,24 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
accessTokenTTL: z
.number()
.int()
- .min(1)
+ .min(0)
.max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenTTL must have a non zero number"
- })
.default(2592000)
.describe(OIDC_AUTH.UPDATE.accessTokenTTL),
accessTokenMaxTTL: z
.number()
.int()
+ .min(0)
.max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
.default(2592000)
.describe(OIDC_AUTH.UPDATE.accessTokenMaxTTL),
-
accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.UPDATE.accessTokenNumUsesLimit)
})
- .partial(),
+ .partial()
+ .refine(
+ (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityOidcAuth: IdentityOidcAuthResponseSchema
diff --git a/backend/src/server/routes/v1/identity-token-auth-router.ts b/backend/src/server/routes/v1/identity-token-auth-router.ts
index f367e60334..3d331403ac 100644
--- a/backend/src/server/routes/v1/identity-token-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-token-auth-router.ts
@@ -26,36 +26,41 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
params: z.object({
identityId: z.string().trim().describe(TOKEN_AUTH.ATTACH.identityId)
}),
- body: z.object({
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
- .describe(TOKEN_AUTH.ATTACH.accessTokenTrustedIps),
- accessTokenTTL: z
- .number()
- .int()
- .min(1)
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenTTL must have a non zero number"
- })
- .default(2592000)
- .describe(TOKEN_AUTH.ATTACH.accessTokenTTL),
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .default(2592000)
- .describe(TOKEN_AUTH.ATTACH.accessTokenMaxTTL),
- accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(TOKEN_AUTH.ATTACH.accessTokenNumUsesLimit)
- }),
+ body: z
+ .object({
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+ .describe(TOKEN_AUTH.ATTACH.accessTokenTrustedIps),
+ accessTokenTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(TOKEN_AUTH.ATTACH.accessTokenTTL),
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(TOKEN_AUTH.ATTACH.accessTokenMaxTTL),
+ accessTokenNumUsesLimit: z
+ .number()
+ .int()
+ .min(0)
+ .default(0)
+ .describe(TOKEN_AUTH.ATTACH.accessTokenNumUsesLimit)
+ })
+ .refine(
+ (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityTokenAuth: IdentityTokenAuthsSchema
@@ -110,27 +115,35 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
params: z.object({
identityId: z.string().trim().describe(TOKEN_AUTH.UPDATE.identityId)
}),
- body: z.object({
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .optional()
- .describe(TOKEN_AUTH.UPDATE.accessTokenTrustedIps),
- accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(TOKEN_AUTH.UPDATE.accessTokenTTL),
- accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(TOKEN_AUTH.UPDATE.accessTokenNumUsesLimit),
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .optional()
- .describe(TOKEN_AUTH.UPDATE.accessTokenMaxTTL)
- }),
+ body: z
+ .object({
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .optional()
+ .describe(TOKEN_AUTH.UPDATE.accessTokenTrustedIps),
+ accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(TOKEN_AUTH.UPDATE.accessTokenTTL),
+ accessTokenNumUsesLimit: z
+ .number()
+ .int()
+ .min(0)
+ .optional()
+ .describe(TOKEN_AUTH.UPDATE.accessTokenNumUsesLimit),
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .optional()
+ .describe(TOKEN_AUTH.UPDATE.accessTokenMaxTTL)
+ })
+ .refine(
+ (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityTokenAuth: IdentityTokenAuthsSchema
diff --git a/backend/src/server/routes/v1/identity-universal-auth-router.ts b/backend/src/server/routes/v1/identity-universal-auth-router.ts
index f103a39e0c..e48e1f442e 100644
--- a/backend/src/server/routes/v1/identity-universal-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-universal-auth-router.ts
@@ -86,49 +86,49 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
params: z.object({
identityId: z.string().trim().describe(UNIVERSAL_AUTH.ATTACH.identityId)
}),
- body: z.object({
- clientSecretTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
- .describe(UNIVERSAL_AUTH.ATTACH.clientSecretTrustedIps),
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
- .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTrustedIps),
- accessTokenTTL: z
- .number()
- .int()
- .min(1)
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenTTL must have a non zero number"
- })
- .default(2592000)
- .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTTL), // 30 days
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .default(2592000)
- .describe(UNIVERSAL_AUTH.ATTACH.accessTokenMaxTTL), // 30 days
- accessTokenNumUsesLimit: z
- .number()
- .int()
- .min(0)
- .default(0)
- .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
- }),
+ body: z
+ .object({
+ clientSecretTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+ .describe(UNIVERSAL_AUTH.ATTACH.clientSecretTrustedIps),
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+ .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTrustedIps),
+ accessTokenTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTTL), // 30 days
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .default(2592000)
+ .describe(UNIVERSAL_AUTH.ATTACH.accessTokenMaxTTL), // 30 days
+ accessTokenNumUsesLimit: z
+ .number()
+ .int()
+ .min(0)
+ .default(0)
+ .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
+ })
+ .refine(
+ (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityUniversalAuth: IdentityUniversalAuthsSchema
@@ -181,46 +181,49 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
params: z.object({
identityId: z.string().describe(UNIVERSAL_AUTH.UPDATE.identityId)
}),
- body: z.object({
- clientSecretTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .optional()
- .describe(UNIVERSAL_AUTH.UPDATE.clientSecretTrustedIps),
- accessTokenTrustedIps: z
- .object({
- ipAddress: z.string().trim()
- })
- .array()
- .min(1)
- .optional()
- .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTrustedIps),
- accessTokenTTL: z
- .number()
- .int()
- .min(0)
- .max(315360000)
- .optional()
- .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
- accessTokenNumUsesLimit: z
- .number()
- .int()
- .min(0)
- .optional()
- .describe(UNIVERSAL_AUTH.UPDATE.accessTokenNumUsesLimit),
- accessTokenMaxTTL: z
- .number()
- .int()
- .max(315360000)
- .refine((value) => value !== 0, {
- message: "accessTokenMaxTTL must have a non zero number"
- })
- .optional()
- .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
- }),
+ body: z
+ .object({
+ clientSecretTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .optional()
+ .describe(UNIVERSAL_AUTH.UPDATE.clientSecretTrustedIps),
+ accessTokenTrustedIps: z
+ .object({
+ ipAddress: z.string().trim()
+ })
+ .array()
+ .min(1)
+ .optional()
+ .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTrustedIps),
+ accessTokenTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .optional()
+ .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
+ accessTokenNumUsesLimit: z
+ .number()
+ .int()
+ .min(0)
+ .optional()
+ .describe(UNIVERSAL_AUTH.UPDATE.accessTokenNumUsesLimit),
+ accessTokenMaxTTL: z
+ .number()
+ .int()
+ .min(0)
+ .max(315360000)
+ .optional()
+ .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
+ })
+ .refine(
+ (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+ "Access Token TTL cannot be greater than Access Token Max TTL."
+ ),
response: {
200: z.object({
identityUniversalAuth: IdentityUniversalAuthsSchema
diff --git a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
index 9f791fd74e..ff202f225d 100644
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@@ -126,12 +126,12 @@ export const identityAwsAuthServiceFactory = ({
authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
} as TIdentityAccessTokenJwtPayload,
appCfg.AUTH_SECRET,
- {
- expiresIn:
- Number(identityAccessToken.accessTokenMaxTTL) === 0
- ? undefined
- : Number(identityAccessToken.accessTokenMaxTTL)
- }
+ // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+ Number(identityAccessToken.accessTokenTTL) === 0
+ ? undefined
+ : {
+ expiresIn: Number(identityAccessToken.accessTokenTTL)
+ }
);
return { accessToken, identityAwsAuth, identityAccessToken, identityMembershipOrg };
diff --git a/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts b/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
index 6275aa0faf..01d013734e 100644
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
@@ -99,12 +99,12 @@ export const identityAzureAuthServiceFactory = ({
authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
} as TIdentityAccessTokenJwtPayload,
appCfg.AUTH_SECRET,
- {
- expiresIn:
- Number(identityAccessToken.accessTokenMaxTTL) === 0
- ? undefined
- : Number(identityAccessToken.accessTokenMaxTTL)
- }
+ // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+ Number(identityAccessToken.accessTokenTTL) === 0
+ ? undefined
+ : {
+ expiresIn: Number(identityAccessToken.accessTokenTTL)
+ }
);
return { accessToken, identityAzureAuth, identityAccessToken, identityMembershipOrg };
diff --git a/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts b/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
index a81b0cd017..5e404ca20e 100644
--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
@@ -138,12 +138,12 @@ export const identityGcpAuthServiceFactory = ({
authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
} as TIdentityAccessTokenJwtPayload,
appCfg.AUTH_SECRET,
- {
- expiresIn:
- Number(identityAccessToken.accessTokenMaxTTL) === 0
- ? undefined
- : Number(identityAccessToken.accessTokenMaxTTL)
- }
+ // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+ Number(identityAccessToken.accessTokenTTL) === 0
+ ? undefined
+ : {
+ expiresIn: Number(identityAccessToken.accessTokenTTL)
+ }
);
return { accessToken, identityGcpAuth, identityAccessToken, identityMembershipOrg };
diff --git a/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts b/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
index 5f8fc5ff6c..6757b0b846 100644
--- a/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
+++ b/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
@@ -212,12 +212,12 @@ export const identityJwtAuthServiceFactory = ({
authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
} as TIdentityAccessTokenJwtPayload,
appCfg.AUTH_SECRET,
- {
- expiresIn:
- Number(identityAccessToken.accessTokenMaxTTL) === 0
- ? undefined
- : Number(identityAccessToken.accessTokenMaxTTL)
- }
+ // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+ Number(identityAccessToken.accessTokenTTL) === 0
+ ? undefined
+ : {
+ expiresIn: Number(identityAccessToken.accessTokenTTL)
+ }
);
return { accessToken, identityJwtAuth, identityAccessToken, identityMembershipOrg };
diff --git a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
index b62f3e8f53..4508a255da 100644
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@@ -229,12 +229,12 @@ export const identityKubernetesAuthServiceFactory = ({
authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
} as TIdentityAccessTokenJwtPayload,
appCfg.AUTH_SECRET,
- {
- expiresIn:
- Number(identityAccessToken.accessTokenMaxTTL) === 0
- ? undefined
- : Number(identityAccessToken.accessTokenMaxTTL)
- }
+ // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+ Number(identityAccessToken.accessTokenTTL) === 0
+ ? undefined
+ : {
+ expiresIn: Number(identityAccessToken.accessTokenTTL)
+ }
);
return { accessToken, identityKubernetesAuth, identityAccessToken, identityMembershipOrg };
diff --git a/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts b/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
index dc3b1baa3f..a1dbed46b3 100644
--- a/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
+++ b/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
@@ -194,12 +194,12 @@ export const identityOidcAuthServiceFactory = ({
authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
} as TIdentityAccessTokenJwtPayload,
appCfg.AUTH_SECRET,
- {
- expiresIn:
- Number(identityAccessToken.accessTokenMaxTTL) === 0
- ? undefined
- : Number(identityAccessToken.accessTokenMaxTTL)
- }
+ // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+ Number(identityAccessToken.accessTokenTTL) === 0
+ ? undefined
+ : {
+ expiresIn: Number(identityAccessToken.accessTokenTTL)
+ }
);
return { accessToken, identityOidcAuth, identityAccessToken, identityMembershipOrg };
diff --git a/backend/src/services/identity-token-auth/identity-token-auth-service.ts b/backend/src/services/identity-token-auth/identity-token-auth-service.ts
index 847030d762..bf38c5fa1e 100644
--- a/backend/src/services/identity-token-auth/identity-token-auth-service.ts
+++ b/backend/src/services/identity-token-auth/identity-token-auth-service.ts
@@ -328,12 +328,12 @@ export const identityTokenAuthServiceFactory = ({
authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
} as TIdentityAccessTokenJwtPayload,
appCfg.AUTH_SECRET,
- {
- expiresIn:
- Number(identityAccessToken.accessTokenMaxTTL) === 0
- ? undefined
- : Number(identityAccessToken.accessTokenMaxTTL)
- }
+ // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+ Number(identityAccessToken.accessTokenTTL) === 0
+ ? undefined
+ : {
+ expiresIn: Number(identityAccessToken.accessTokenTTL)
+ }
);
return { accessToken, identityTokenAuth, identityAccessToken, identityMembershipOrg };
diff --git a/backend/src/services/identity-ua/identity-ua-service.ts b/backend/src/services/identity-ua/identity-ua-service.ts
index b456c16477..b9837265aa 100644
--- a/backend/src/services/identity-ua/identity-ua-service.ts
+++ b/backend/src/services/identity-ua/identity-ua-service.ts
@@ -129,12 +129,12 @@ export const identityUaServiceFactory = ({
authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
} as TIdentityAccessTokenJwtPayload,
appCfg.AUTH_SECRET,
- {
- expiresIn:
- Number(identityAccessToken.accessTokenMaxTTL) === 0
- ? undefined
- : Number(identityAccessToken.accessTokenMaxTTL)
- }
+ // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+ Number(identityAccessToken.accessTokenTTL) === 0
+ ? undefined
+ : {
+ expiresIn: Number(identityAccessToken.accessTokenTTL)
+ }
);
return { accessToken, identityUa, validClientSecretInfo, identityAccessToken, identityMembershipOrg };
diff --git a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityAwsAuthForm.tsx b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityAwsAuthForm.tsx
index 7f609305db..ddcc7b2d1d 100644
--- a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityAwsAuthForm.tsx
+++ b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityAwsAuthForm.tsx
@@ -259,7 +259,7 @@ export const IdentityAwsAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
@@ -273,7 +273,7 @@ export const IdentityAwsAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
diff --git a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityAzureAuthForm.tsx b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityAzureAuthForm.tsx
index 1bfdf27570..cd32ca9dc7 100644
--- a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityAzureAuthForm.tsx
+++ b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityAzureAuthForm.tsx
@@ -255,7 +255,7 @@ export const IdentityAzureAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
@@ -269,7 +269,7 @@ export const IdentityAzureAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
diff --git a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityGcpAuthForm.tsx b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityGcpAuthForm.tsx
index 2a3fc526df..760bb6ed47 100644
--- a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityGcpAuthForm.tsx
+++ b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityGcpAuthForm.tsx
@@ -294,7 +294,7 @@ export const IdentityGcpAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
@@ -308,7 +308,7 @@ export const IdentityGcpAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
diff --git a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityJwtAuthForm.tsx b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityJwtAuthForm.tsx
index 32ad5b6ada..c9d8acccaf 100644
--- a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityJwtAuthForm.tsx
+++ b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityJwtAuthForm.tsx
@@ -563,7 +563,7 @@ export const IdentityJwtAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
@@ -577,7 +577,7 @@ export const IdentityJwtAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
diff --git a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityKubernetesAuthForm.tsx b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityKubernetesAuthForm.tsx
index 9a65aeebc4..4d25590a1a 100644
--- a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityKubernetesAuthForm.tsx
+++ b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityKubernetesAuthForm.tsx
@@ -305,7 +305,7 @@ export const IdentityKubernetesAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
@@ -320,7 +320,7 @@ export const IdentityKubernetesAuthForm = ({
errorText={error?.message}
tooltipText="The maximum lifetime for an access token in seconds. This value will be referenced at renewal time."
>
-
+
)}
/>
diff --git a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityOidcAuthForm.tsx b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityOidcAuthForm.tsx
index 679e03555a..b1b0739cf3 100644
--- a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityOidcAuthForm.tsx
+++ b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityOidcAuthForm.tsx
@@ -323,7 +323,7 @@ export const IdentityOidcAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
@@ -337,7 +337,7 @@ export const IdentityOidcAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
diff --git a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityTokenAuthForm.tsx b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityTokenAuthForm.tsx
index d0e7bc7289..18e832aa82 100644
--- a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityTokenAuthForm.tsx
+++ b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityTokenAuthForm.tsx
@@ -192,7 +192,7 @@ export const IdentityTokenAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
@@ -206,7 +206,7 @@ export const IdentityTokenAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>
diff --git a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityUniversalAuthForm.tsx b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityUniversalAuthForm.tsx
index 975ef8dbeb..2ebe631fe2 100644
--- a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityUniversalAuthForm.tsx
+++ b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityUniversalAuthForm.tsx
@@ -224,7 +224,7 @@ export const IdentityUniversalAuthForm = ({
isError={Boolean(error)}
errorText={error?.message}
>
-
+
)}
/>