Thanks to visit codestin.com
Credit goes to github.com

Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: cipherstash/proxy
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.2.3
Choose a base ref
...
head repository: cipherstash/proxy
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: main
Choose a head ref
  • 3 commits
  • 4 files changed
  • 1 contributor

Commits on Jun 18, 2026

  1. fix: correct access-key token expiry interpretation in vendored stack… 

    …-auth (CIP-3233)

stack-auth's AccessKeyRefresher computed expires_at as `now + auth_resp.expiry`, but CTS /api/authorise returns `expiry` as an ABSOLUTE Unix epoch (the JWT `exp` claim), not a relative duration. The sum landed ~decades in the future, so AutoRefresh never considered the token expired and never refreshed it; ZeroKMS enforced the real ~15-min exp, so encrypt/decrypt failed ~15 min after startup until the pod restarted.

Use the value as-is: `expires_at: auth_resp.expiry`. Also corrects the access-key test fixtures, which mocked `expiry` as a small relative value (e.g. 3600) and thereby hid the bug — they now model an absolute epoch (now + N) like the real CTS. Adds a regression test asserting an absolute `expiry` yields expires_in ~= the intended TTL (fails under the pre-fix `now + expiry` arithmetic).

This is the actual root cause of the customer's 15-minute failures; the 2.2.3 CancelGuard backport (CIP-3159) is unrelated hardening and did not help. Confirmed against a live production token: response.expiry == JWT exp (absolute), exp - iat == 900.
    @freshtonic
    freshtonic committed Jun 18, 2026
    Configuration menu
    Copy the full SHA
    a65ec77 View commit details
    Browse the repository at this point in the history

  2. chore: prepare v2.2.4 release 

    Patch release carrying the access-key token-expiry fix (CIP-3233): bump workspace version 2.2.3 -> 2.2.4 and promote the Unreleased CHANGELOG entry to [2.2.4].
    @freshtonic
    freshtonic committed Jun 18, 2026
    Configuration menu
    Copy the full SHA
    a239ebc View commit details
    Browse the repository at this point in the history

  3. Merge pull request #408 from cipherstash/james/cip-3233-access-key-ex… 

    …piry

fix: access-key token expiry parsed as relative — tokens never refresh (CIP-3233); release 2.2.4
    @freshtonic
    freshtonic authored Jun 18, 2026
    Configuration menu
    Copy the full SHA
    4facf29 View commit details
    Browse the repository at this point in the history
Loading