feat(session): cap TTL at 1 hour maximum

2026-01-02 13:27:30 -05:00
parent b310ee10a9
commit 3c97ad407c
2 changed files with 28 additions and 3 deletions
--- a/src/grist_mcp/session.py
+++ b/src/grist_mcp/session.py
@@ -4,6 +4,9 @@ import secrets
 from dataclasses import dataclass
 from datetime import datetime, timedelta, timezone

+MAX_TTL_SECONDS = 3600  # 1 hour
+DEFAULT_TTL_SECONDS = 300  # 5 minutes
+

@dataclass
 class SessionToken:
@@ -27,19 +30,25 @@ class SessionTokenManager:
        agent_name: str,
        document: str,
        permissions: list[str],
-        ttl_seconds: int,
+        ttl_seconds: int = DEFAULT_TTL_SECONDS,
    ) -> SessionToken:
-        """Create a new session token."""
+        """Create a new session token.
+
+        TTL is capped at MAX_TTL_SECONDS (1 hour).
+        """
        now = datetime.now(timezone.utc)
        token_str = f"sess_{secrets.token_urlsafe(32)}"

+        # Cap TTL at maximum
+        effective_ttl = min(ttl_seconds, MAX_TTL_SECONDS)
+
        session = SessionToken(
            token=token_str,
            document=document,
            permissions=permissions,
            agent_name=agent_name,
            created_at=now,
-            expires_at=now + timedelta(seconds=ttl_seconds),
+            expires_at=now + timedelta(seconds=effective_ttl),
        )

        self._tokens[token_str] = session