Don't set expiration on auth tokens (#3105)

To make sure that #3096 has the desired effect.

[ci]

Signed-off-by: Martin Florian <martin.florian@digitalasset.com>

Author: martinflorian-da

apps/app/src/main/scala/org/lfdecentralizedtrust/splice/config/ConfigTransforms.scala

@@ -803,7 +803,6 @@ object ConfigTransforms {
     val userToken = AuthUtil.LedgerApi.testToken(
       user = user,
       secret = secret,
-      expiration = NonNegativeFiniteDuration.ofDays(30),
     )
     c.copy(
       authConfig = AuthTokenSourceConfig.Static(

apps/app/src/test/scala/org/lfdecentralizedtrust/splice/integration/tests/SpliceTests.scala

@@ -314,13 +314,13 @@ object SpliceTests extends LazyLogging {
         newUser: String,
     ): AuthTokenSourceConfig = {
       conf match {
-        case AuthTokenSourceConfig.Static(_, adminToken, expiration) => {
+        case AuthTokenSourceConfig.Static(_, adminToken) => {
           val secret = "test" // used for all of our tests
-          val userToken = AuthUtil.LedgerApi.testToken(newUser, secret, expiration)
+          val userToken = AuthUtil.LedgerApi.testToken(newUser, secret)
           AuthTokenSourceConfig.Static(userToken, adminToken)
         }
-        case AuthTokenSourceConfig.SelfSigned(audience, _, secret, adminToken, expiration) => {
-          AuthTokenSourceConfig.SelfSigned(audience, newUser, secret, adminToken, expiration)
+        case AuthTokenSourceConfig.SelfSigned(audience, _, secret, adminToken) => {
+          AuthTokenSourceConfig.SelfSigned(audience, newUser, secret, adminToken)
         }
         case _ => conf
       }

apps/common/src/main/scala/org/lfdecentralizedtrust/splice/auth/AuthTokenSource.scala

@@ -7,7 +7,6 @@ import com.daml.jwt.{AuthServiceJWTCodec, Jwt, JwtDecoder, StandardJWTPayload}
 import org.apache.pekko.actor.ActorSystem
 import org.lfdecentralizedtrust.splice.auth.OAuthApi.TokenResponse
 import org.lfdecentralizedtrust.splice.config.AuthTokenSourceConfig
-import com.digitalasset.canton.config.NonNegativeFiniteDuration
 import com.digitalasset.canton.data.CantonTimestamp
 import com.digitalasset.canton.logging.{NamedLoggerFactory, NamedLogging}
 import com.digitalasset.canton.tracing.TraceContext
@@ -74,11 +73,10 @@ case class AuthTokenSourceSelfSigned(
     audience: String,
     user: String,
     secret: String,
-    expiration: NonNegativeFiniteDuration,
 ) extends AuthTokenSource {
   override def getToken(implicit tc: TraceContext): Future[Option[AuthToken]] =
     Future.successful(
-      Some(AuthToken(AuthUtil.testTokenSecret(audience, user, secret, expiration)))
+      Some(AuthToken(AuthUtil.testTokenSecret(audience, user, secret)))
     )
 }
 
@@ -117,10 +115,10 @@ object AuthTokenSource {
   )(implicit ec: ExecutionContext, ac: ActorSystem): AuthTokenSource = config match {
     case AuthTokenSourceConfig.None() =>
       new AuthTokenSourceNone()
-    case AuthTokenSourceConfig.Static(token, _, _) =>
+    case AuthTokenSourceConfig.Static(token, _) =>
       new AuthTokenSourceStatic(token)
-    case AuthTokenSourceConfig.SelfSigned(audience, user, secret, _, expiration) =>
-      new AuthTokenSourceSelfSigned(audience, user, secret, expiration)
+    case AuthTokenSourceConfig.SelfSigned(audience, user, secret, _) =>
+      new AuthTokenSourceSelfSigned(audience, user, secret)
     case AuthTokenSourceConfig.ClientCredentials(
           wellKnownConfigUrl,
           clientId,

apps/common/src/main/scala/org/lfdecentralizedtrust/splice/auth/AuthUtil.scala

@@ -5,7 +5,6 @@ package org.lfdecentralizedtrust.splice.auth
 
 import com.auth0.jwt.JWT
 import com.auth0.jwt.algorithms.Algorithm
-import com.digitalasset.canton.config.NonNegativeFiniteDuration
 
 // See also: com.daml.ledger.api.auth.Main from the Daml SDK contains utils for generating ledger API access tokens
 object AuthUtil {
@@ -29,23 +28,19 @@ object AuthUtil {
       audience: String,
       user: String,
       secret: String,
-      expiration: NonNegativeFiniteDuration = NonNegativeFiniteDuration.ofDays(30),
   ): String = {
-    testTokenSecret(audience, user, secret, expiration)
+    testTokenSecret(audience, user, secret)
   }
 
   def testTokenSecret(
       audience: String,
       user: String,
       secret: String,
-      expiration: NonNegativeFiniteDuration,
   ): String = {
     JWT
       .create()
       .withSubject(user)
       .withAudience(audience)
-      // Canton also uses Instant.now for the checks even in simtime so this is ok.
-      .withExpiresAt(java.time.Instant.now().plus(expiration.asJava))
       .sign(Algorithm.HMAC256(secret))
   }
 
@@ -61,15 +56,12 @@ object AuthUtil {
     def testToken(
         user: String,
         secret: String,
-        expiration: NonNegativeFiniteDuration,
     ): String = {
       JWT
         .create()
         .withSubject(user)
         .withClaim("scope", "daml_ledger_api")
         .withAudience(testAudience)
-        // Canton also uses Instant.now for the checks even in simtime so this is ok.
-        .withExpiresAt(java.time.Instant.now().plus(expiration.asJava))
         .sign(Algorithm.HMAC256(secret))
     }
   }

apps/common/src/main/scala/org/lfdecentralizedtrust/splice/config/AuthTokenSourceConfig.scala

@@ -3,8 +3,6 @@
 
 package org.lfdecentralizedtrust.splice.config
 
-import com.digitalasset.canton.config.NonNegativeFiniteDuration
-
 sealed trait AuthTokenSourceConfig {
   // Token that will be used for all commands that need to bypass ledger API auth.
   // Due to the way Canton console is designed, this need to be a static token.
@@ -20,7 +18,6 @@ object AuthTokenSourceConfig {
   final case class Static(
       token: String,
       adminToken: Option[String],
-      expiration: NonNegativeFiniteDuration = NonNegativeFiniteDuration.ofDays(30),
   ) extends AuthTokenSourceConfig
 
   /** Settings for generating self-signed tokens. Use for testing purposes only. */
@@ -29,7 +26,6 @@ object AuthTokenSourceConfig {
       user: String,
       secret: String,
       adminToken: Option[String],
-      expiration: NonNegativeFiniteDuration = NonNegativeFiniteDuration.ofDays(30),
   ) extends AuthTokenSourceConfig
 
   /** Using OAuth client credentials flow to acquire tokens */
@@ -48,9 +44,9 @@ object AuthTokenSourceConfig {
     val hide = (t: Option[String]) => t.map(_ => hidden)
     config match {
       case None() => None()
-      case Static(_, adminToken, expiration) => Static(hidden, hide(adminToken), expiration)
-      case SelfSigned(audience, user, _, adminToken, expiration) =>
-        SelfSigned(audience, user, hidden, hide(adminToken), expiration)
+      case Static(_, adminToken) => Static(hidden, hide(adminToken))
+      case SelfSigned(audience, user, _, adminToken) =>
+        SelfSigned(audience, user, hidden, hide(adminToken))
       case ClientCredentials(wellKnownConfigUrl, clientId, _, audience, scope, adminToken) =>
         ClientCredentials(wellKnownConfigUrl, clientId, hidden, audience, scope, hide(adminToken))
     }