Skip to content

fix: adjust expiration time for token generation#87

Merged
Meldiron merged 2 commits intoutopia-php:mainfrom
docimin:main
Apr 8, 2026
Merged

fix: adjust expiration time for token generation#87
Meldiron merged 2 commits intoutopia-php:mainfrom
docimin:main

Conversation

@docimin
Copy link
Copy Markdown
Contributor

@docimin docimin commented Apr 8, 2026

GitHub recently tightened JWT validation for GitHub App authentication as the exp claim must now be strictly less than 10 minutes from iat

@docimin
fix: adjust expiration time for token generation
0fcba7d 
GitHub recently tightened JWT validation for GitHub App authentication as the `exp` claim must now be strictly less than 10 minutes from `iat`
@greptile-apps
Copy link
Copy Markdown

greptile-apps bot commented Apr 8, 2026
edited
Loading

Greptile Summary

This PR fixes GitHub App JWT authentication by reducing the exp claim from 10 minutes to 9 minutes (60 * 9 seconds) to comply with GitHub's tightened validation that now enforces exp - iat to be strictly less than 10 minutes. The fix also extracts the expiry value into a well-documented constant GITHUB_APP_JWT_EXPIRY and updates the cache TTL to be derived from that constant (GITHUB_APP_JWT_EXPIRY - 60 = 8 minutes) for consistency.

Key changes:

  • New constant GITHUB_APP_JWT_EXPIRY = 60 * 9 centralises the 9-minute expiry with documentation linking to GitHub's JWT docs.
  • generateAccessToken() now uses self::GITHUB_APP_JWT_EXPIRY (540 s) instead of the previous 10 * 60 (600 s), which was silently rejected by GitHub's stricter validation.
  • Cache TTL is now self::GITHUB_APP_JWT_EXPIRY - 60 (480 s / 8 min), preserving the 1-minute refresh buffer before the JWT expires.

Confidence Score: 5/5

Safe to merge — targeted, correct fix with no regressions introduced.

The change is minimal and well-reasoned: it fixes a real compatibility breakage with GitHub's stricter JWT validation by reducing the expiry from 600 s to 540 s, extracts the value into a documented constant, and keeps the cache TTL correctly derived from that constant. No logic errors, security issues, or P1/P0 findings were identified.

No files require special attention.

Vulnerabilities

No security concerns identified. The change reduces the JWT lifetime, which is strictly more conservative from a security standpoint. Private key handling and token usage patterns are unchanged.

Important Files Changed

Filename Overview
src/VCS/Adapter/Git/GitHub.php JWT expiry reduced from 10 min to 9 min via new GITHUB_APP_JWT_EXPIRY constant; cache TTL updated to match. Change is correct and well-documented.

Reviews (2): Last reviewed commit: "fix: use GITHUB_APP_JWT_EXPIRY instead o..." | Re-trigger Greptile

Meldiron
Meldiron reviewed Apr 8, 2026
View reviewed changes
@Meldiron Meldiron added the test Enables E2E tests in CI/CD label Apr 8, 2026
Meldiron
Meldiron reviewed Apr 8, 2026
View reviewed changes
@Meldiron Meldiron added test Enables E2E tests in CI/CD and removed test Enables E2E tests in CI/CD labels Apr 8, 2026
@Meldiron Meldiron merged commit 44a84ab into utopia-php:main Apr 8, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Meldiron Meldiron Meldiron approved these changes

Assignees

No one assigned

Labels

test Enables E2E tests in CI/CD

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@docimin @Meldiron