MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · willchen96/mike · PR #77

fix: add expiration to download tokens (30-day TTL)

🟢 open · #77 · willchen96/mike ← bmersereau/mike · opened 14d ago by bmersereau · +1,344-21 across 6 files · ↗ on GitHub

From the PR description

Summary

  • Adds an exp (Unix timestamp) field to every HMAC-signed download token
  • verifyDownload rejects tokens whose exp is in the past
  • Default TTL is 30 days - generous enough for links stored in chat history, bounded enough to limit exposure if the signing secret is ever rotated
  • Old tokens without an exp field are still accepted (backward compat)

Closes #68

Changes

  • backend/src/lib/downloadTokens.ts - signDownload gains optional ttlSeconds param (default 30 days); verifyDownload checks exp when present
  • backend/src/lib/__tests__/downloadTokens.test.ts - 5 unit tests covering round-trip, tampering, exp field presence, rejection of expired tokens, and acceptance of valid tokens
  • backend/vitest.config.ts + backend/package.json - vitest added

Test plan

  • Unit tests: round-trip, tamper, exp field present, expired → null, valid → ok
  • Build and typecheck pass Closes #91

Our analysis

Add expiry to HMAC-signed download tokens — read the full analysis →

Think the analysis missed something the PR description covers?

Capture this PR into my fork

Download a Markdown prompt that tells Claude how to port every commit in this PR into your working tree. Run it via claude -p < capture-pull-77.md from inside the repo you want the changes in.

⬇ Download capture-pull-77.md