From 2e266e318a3107200236329758643936bf577a36 Mon Sep 17 00:00:00 2001 From: Michal Date: Sat, 25 Apr 2026 18:41:22 +0100 Subject: [PATCH] fix(mcplocal): lower default token introspection TTL in serve.ts too MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Followup to e51b924. The middleware default in token-auth.ts is 5s, but serve.ts wraps the construction with its own env-fallback default of 30000ms — so when MCPLOCAL_TOKEN_POSITIVE_TTL_MS isn't set in the environment, serve.ts always wins and revoked tokens still propagate slowly. Lowered serve.ts to 5s for symmetry; operators wanting a longer window can set the env var explicitly. Caught by mcptoken.smoke continuing to fail after the previous redeploy: verified the token-auth.js shipped with `?? 5_000`, but the wrapper was overriding it. Co-Authored-By: Claude Opus 4.7 (1M context) --- src/mcplocal/src/serve.ts | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/mcplocal/src/serve.ts b/src/mcplocal/src/serve.ts index 9aad665..c9ee651 100644 --- a/src/mcplocal/src/serve.ts +++ b/src/mcplocal/src/serve.ts @@ -67,9 +67,12 @@ export async function serve(): Promise { const httpServer = await createHttpServer(httpConfig, { router, providerRegistry }); // Auth preHandler: only protect the MCP surfaces. /health, /healthz, /proxymodels etc stay open. - // Introspection cache TTLs are tunable via env for operators who want stricter revocation - // propagation at the cost of more round-trips to mcpd. - const positiveTtlMs = Number(process.env.MCPLOCAL_TOKEN_POSITIVE_TTL_MS ?? '30000'); + // Introspection cache TTLs are tunable via env for operators who want a different tradeoff. + // Default 5s for both: mcpd's introspection endpoint is a single DB lookup, so the cache + // mainly protects against burst restart storms — not steady-state load. A higher positive + // TTL means revoked tokens keep working for the full window after revocation; 5s aligns with + // the negativeTtl and matches mcptoken.smoke's 7s `wait after revoke` assertion. + const positiveTtlMs = Number(process.env.MCPLOCAL_TOKEN_POSITIVE_TTL_MS ?? '5000'); const negativeTtlMs = Number(process.env.MCPLOCAL_TOKEN_NEGATIVE_TTL_MS ?? '5000'); const tokenAuth = createTokenAuthMiddleware({ mcpdUrl, positiveTtlMs, negativeTtlMs }); httpServer.addHook('preHandler', async (request, reply) => {