fix(api,admin-ui,user-ui): add client token ttl controls and remove deprecated auth settings

packages/admin-ui/src/pages/Branding.tsx

@@ -63,7 +63,7 @@ function buildPreviewUrl(
   };
   const o = toB64Url(JSON.stringify(options));
   const u = encodeURIComponent(issuer);
-  return `/preview?options=${o}&u=${u}`;
+  return `/preview?options=${o}&u=${u}&da_preview=1`;
 }
 
 function _inferType(s: AdminSetting): "string" | "number" | "boolean" | "object" {

packages/admin-ui/src/pages/ClientEdit.tsx

@@ -135,6 +135,7 @@ export default function ClientEdit({ mode = "edit" }: ClientEditProps) {
     allowedJweAlgs: "",
     allowedJweEncs: "",
     idTokenLifetimeSeconds: "",
+    accessTokenLifetimeSeconds: "",
     refreshTokenLifetimeSeconds: "",
   });
 
@@ -194,6 +195,9 @@ export default function ClientEdit({ mode = "edit" }: ClientEditProps) {
         allowedJweAlgs: joinList(c.allowedJweAlgs),
         allowedJweEncs: joinList(c.allowedJweEncs),
         idTokenLifetimeSeconds: c.idTokenLifetimeSeconds ? String(c.idTokenLifetimeSeconds) : "",
+        accessTokenLifetimeSeconds: c.accessTokenLifetimeSeconds
+          ? String(c.accessTokenLifetimeSeconds)
+          : "",
         refreshTokenLifetimeSeconds: c.refreshTokenLifetimeSeconds
           ? String(c.refreshTokenLifetimeSeconds)
           : "",
@@ -251,6 +255,9 @@ export default function ClientEdit({ mode = "edit" }: ClientEditProps) {
         idTokenLifetimeSeconds: form.idTokenLifetimeSeconds
           ? Number(form.idTokenLifetimeSeconds)
           : undefined,
+        accessTokenLifetimeSeconds: form.accessTokenLifetimeSeconds
+          ? Number(form.accessTokenLifetimeSeconds)
+          : undefined,
         refreshTokenLifetimeSeconds: form.refreshTokenLifetimeSeconds
           ? Number(form.refreshTokenLifetimeSeconds)
           : undefined,
@@ -834,17 +841,15 @@ export default function ClientEdit({ mode = "edit" }: ClientEditProps) {
             <Card className={styles.tabCard}>
               <CardHeader>
                 <CardTitle>Token Policy</CardTitle>
-                <CardDescription>
-                  Optional token lifetime overrides for this client.
-                </CardDescription>
+                <CardDescription>Token lifetime configuration for this client.</CardDescription>
               </CardHeader>
               <CardContent>
                 <FormGrid columns={1}>
                   <FormField
                     label={
                       <FieldLabel
                         title="ID Token TTL (seconds)"
-                        tooltip="Overrides global ID token lifetime for this client. Leave empty to use system defaults."
+                        tooltip="ID token lifetime for this client."
                       />
                     }
                   >
@@ -859,6 +864,25 @@ export default function ClientEdit({ mode = "edit" }: ClientEditProps) {
                     <FieldHint>Typical values: 300 to 3600 seconds.</FieldHint>
                   </FormField>
 
+                  <FormField
+                    label={
+                      <FieldLabel
+                        title="Access Token TTL (seconds)"
+                        tooltip="Access token lifetime for this client."
+                      />
+                    }
+                  >
+                    <Input
+                      type="number"
+                      min={60}
+                      value={form.accessTokenLifetimeSeconds}
+                      onChange={(e) =>
+                        setForm((f) => ({ ...f, accessTokenLifetimeSeconds: e.target.value }))
+                      }
+                    />
+                    <FieldHint>Typical values: 300 to 3600 seconds.</FieldHint>
+                  </FormField>
+
                   <FormField
                     label={
                       <FieldLabel

packages/admin-ui/src/services/api.ts

@@ -57,23 +57,6 @@ export interface AdminOpaqueLoginFinishResponse {
   };
 }
 
-export interface AdminOpaqueRegisterStartRequest {
-  email: string;
-  request: string; // base64url encoded
-}
-
-export interface AdminOpaqueRegisterStartResponse {
-  message: string; // base64url encoded
-  serverPublicKey: string; // base64url encoded
-}
-
-export interface AdminOpaqueRegisterFinishRequest {
-  email: string;
-  name: string;
-  role: "read" | "write";
-  record: string; // base64url encoded
-}
-
 export interface AdminSessionResponse {
   authenticated: boolean;
   adminId?: string;
@@ -220,6 +203,7 @@ export interface Client {
   updatedAt: string;
   clientSecret?: string; // Only returned when creating/updating
   idTokenLifetimeSeconds?: number;
+  accessTokenLifetimeSeconds?: number;
   refreshTokenLifetimeSeconds?: number;
 }
 
@@ -252,6 +236,7 @@ export interface CreateClientRequest {
   scopes?: Array<string | ClientScope>;
   allowedZkOrigins?: string[];
   idTokenLifetimeSeconds?: number;
+  accessTokenLifetimeSeconds?: number;
   refreshTokenLifetimeSeconds?: number;
 }
 
@@ -474,22 +459,6 @@ class AdminApiService {
     });
   }
 
-  async adminOpaqueRegisterStart(
-    request: AdminOpaqueRegisterStartRequest
-  ): Promise<AdminOpaqueRegisterStartResponse> {
-    return this.request("/opaque/register/start", {
-      method: "POST",
-      body: JSON.stringify(request),
-    });
-  }
-
-  async adminOpaqueRegisterFinish(request: AdminOpaqueRegisterFinishRequest): Promise<void> {
-    return this.request("/opaque/register/finish", {
-      method: "POST",
-      body: JSON.stringify(request),
-    });
-  }
-
   // Session Management
   async getAdminSession(): Promise<AdminSessionResponse> {
     return this.request("/session");

packages/api/drizzle/0014_client_access_token_ttl.sql

@@ -0,0 +1 @@
+ALTER TABLE "clients" ADD COLUMN "access_token_lifetime_seconds" integer;

packages/api/drizzle/meta/_journal.json

@@ -85,6 +85,13 @@
       "when": 1772269200000,
       "tag": "0013_client_dashboard_icons",
       "breakpoints": true
+    },
+    {
+      "idx": 12,
+      "version": "7",
+      "when": 1772323200000,
+      "tag": "0014_client_access_token_ttl",
+      "breakpoints": true
     }
   ]
 }

packages/api/src/context/createContext.ts

@@ -9,6 +9,7 @@ import { ensureDefaultOrganizationAndSchema } from "../models/install.ts";
 import { ensureKekService } from "../services/kek.ts";
 import { createOpaqueService } from "../services/opaque.ts";
 import { cleanupExpiredSessions } from "../services/sessions.ts";
+import { pruneDeprecatedSettings } from "../services/settings.ts";
 import type { Config, Context, Database } from "../types.ts";
 
 async function waitForPostgres(pool: Pool, attempts = 20, delayMs = 500) {
@@ -109,6 +110,11 @@ export async function createContext(config: Config): Promise<Context> {
     } catch (err) {
       logger.warn({ err }, "ensureDefaultOrganizationAndSchema failed");
     }
+    try {
+      await pruneDeprecatedSettings(context);
+    } catch (err) {
+      logger.warn({ err }, "pruneDeprecatedSettings failed");
+    }
   }
 
   if (!config.inInstallMode) {

packages/api/src/controllers/admin/clientCreate.ts

@@ -44,6 +44,7 @@ export const CreateClientSchema = z.object({
     ]),
   allowedZkOrigins: z.array(z.string()).optional().default([]),
   idTokenLifetimeSeconds: z.number().int().positive().optional(),
+  accessTokenLifetimeSeconds: z.number().int().positive().optional(),
   refreshTokenLifetimeSeconds: z.number().int().positive().optional(),
 });
 
@@ -70,6 +71,7 @@ export const ClientResponseSchema = z.object({
   scopes: z.array(ScopeSchema),
   allowedZkOrigins: z.array(z.string()),
   idTokenLifetimeSeconds: z.number().int().positive().nullable(),
+  accessTokenLifetimeSeconds: z.number().int().positive().nullable(),
   refreshTokenLifetimeSeconds: z.number().int().positive().nullable(),
   createdAt: z.date().or(z.string()),
   updatedAt: z.date().or(z.string()),

packages/api/src/controllers/admin/clientUpdate.ts

@@ -57,6 +57,7 @@ async function updateClientHandler(
     scopes: z.array(z.union([z.string().min(1), ScopeSchema])).optional(),
     allowedZkOrigins: z.array(z.string()).optional(),
     idTokenLifetimeSeconds: z.number().int().positive().nullable().optional(),
+    accessTokenLifetimeSeconds: z.number().int().positive().nullable().optional(),
     refreshTokenLifetimeSeconds: z.number().int().positive().nullable().optional(),
   });
   const parsedUpdates = Req.parse(parsed as unknown);
@@ -142,6 +143,7 @@ const Req = z.object({
   scopes: z.array(z.union([z.string().min(1), ScopeSchema])).optional(),
   allowedZkOrigins: z.array(z.string()).optional(),
   idTokenLifetimeSeconds: z.number().int().positive().nullable().optional(),
+  accessTokenLifetimeSeconds: z.number().int().positive().nullable().optional(),
   refreshTokenLifetimeSeconds: z.number().int().positive().nullable().optional(),
 });
 

packages/api/src/controllers/admin/clients.ts

@@ -37,6 +37,7 @@ const ClientResponseSchema = z.object({
   scopes: z.array(ScopeSchema),
   allowedZkOrigins: z.array(z.string()),
   idTokenLifetimeSeconds: z.number().int().positive().nullable(),
+  accessTokenLifetimeSeconds: z.number().int().positive().nullable(),
   refreshTokenLifetimeSeconds: z.number().int().positive().nullable(),
   createdAt: z.date().or(z.string()),
   updatedAt: z.date().or(z.string()),

packages/api/src/controllers/admin/logout.ts

@@ -2,7 +2,12 @@ import type { IncomingMessage, ServerResponse } from "node:http";
 import { z } from "zod/v4";
 import { genericErrors } from "../../http/openapi-helpers.ts";
 
-import { clearSessionCookies, deleteSession, getSessionId } from "../../services/sessions.ts";
+import {
+  clearRefreshTokenCookie,
+  clearSessionCookies,
+  deleteSession,
+  getSessionId,
+} from "../../services/sessions.ts";
 import type { Context, ControllerSchema } from "../../types.ts";
 import { withAudit } from "../../utils/auditWrapper.ts";
 import { sendJson } from "../../utils/http.ts";
@@ -19,6 +24,7 @@ async function postAdminLogoutHandler(
     await deleteSession(context, sessionId);
   }
   clearSessionCookies(response, true);
+  clearRefreshTokenCookie(response, true);
 
   sendJson(response, 200, {
     success: true,

packages/api/src/controllers/admin/settings.ts

@@ -5,6 +5,7 @@ import { genericErrors } from "../../http/openapi-helpers.ts";
 import { listSettings } from "../../models/settings.ts";
 import { ensureBrandingDefaults } from "../../services/branding.ts";
 import { requireSession } from "../../services/sessions.ts";
+import { pruneDeprecatedSettings } from "../../services/settings.ts";
 import type { Context, ControllerSchema } from "../../types.ts";
 import { sendJson } from "../../utils/http.ts";
 
@@ -23,6 +24,7 @@ export async function getSettings(
 
   // Get all settings
   await ensureBrandingDefaults(context);
+  await pruneDeprecatedSettings(context);
   const settingsData = await listSettings(context);
 
   const flattened = settingsData;

packages/api/src/controllers/admin/settingsUpdate.ts

@@ -17,10 +17,6 @@ interface SettingsUpdateRequest {
 const ALLOWED_SETTINGS = [
   "rate_limits",
   "security",
-  "code",
-  "pkce",
-  "id_token",
-  "access_token",
   "zk_delivery",
   "opaque",
   "security_headers",

packages/api/src/controllers/user/opaqueLoginFinish.ts

@@ -202,20 +202,14 @@ export const postOpaqueLoginFinish = withRateLimit("opaque", (body) => {
       const refreshTtlSeconds = await getRefreshTokenTtlSeconds(context, "user");
       issueSessionCookies(response, createdSessionId, ttlSeconds, false);
       issueRefreshTokenCookie(response, refreshToken, refreshTtlSeconds, false);
-      let accessTokenTtl = 600;
-      const accessTokenSettings = (await getSetting(context, "access_token")) as
-        | { lifetime_seconds?: number }
-        | undefined
-        | null;
-      if (accessTokenSettings?.lifetime_seconds && accessTokenSettings.lifetime_seconds > 0) {
-        accessTokenTtl = accessTokenSettings.lifetime_seconds;
-      } else {
-        const flat = (await getSetting(context, "access_token.lifetime_seconds")) as
-          | number
-          | undefined
-          | null;
-        if (typeof flat === "number" && flat > 0) accessTokenTtl = flat;
-      }
+      const client = await (await import("../../models/clients.ts")).getClient(
+        context,
+        userClientId
+      );
+      const accessTokenTtl =
+        client?.accessTokenLifetimeSeconds && client.accessTokenLifetimeSeconds > 0
+          ? client.accessTokenLifetimeSeconds
+          : 600;
       const now = Math.floor(Date.now() / 1000);
       const accessToken = await signJWT(
         context,

packages/api/src/controllers/user/opaqueLoginStart.ts

@@ -81,7 +81,6 @@ export const postOpaqueLoginStart = withRateLimit("opaque", (body) =>
     // Convert response to base64url for JSON transmission
     const responseData = {
       message: toBase64Url(Buffer.from(loginResponse.message)),
-      sub: "00000000-0000-0000-0000-000000000000",
       sessionId: loginResponse.sessionId,
     };