I gave session tokens a 24-hour expiry in Open Relay

Source: Dev.to

Background

The security audit for Open Relay (oly) identified a critical issue: session tokens never expired. Once authenticated, a token remained in an in‑memory HashSet until the daemon restarted, which could be days. If a token leaked from a browser cookie, proxy log, or Referer header, it was valid indefinitely.

Implementation

• Replaced the token store HashSet with a HashMap.
• Each TokenEntry records an issued_at timestamp.
• Authentication now validates the token age against a configurable TTL (24 hours by default).
• Expired entries are removed lazily during the next authentication check, avoiding a background thread and preventing unbounded memory growth.

Impact

• Leaked tokens now have a natural expiration date.
• Long‑running daemons no longer accumulate unlimited token entries from repeated logins.
• Backward compatibility: tokens issued before the upgrade remain valid until the TTL naturally expires.

Other Findings from the Audit

• Per‑IP login lockouts instead of a shared path that blocks everyone.
• Secure cookie flag when behind TLS proxies.
• Bounded IPC line reads to prevent memory‑exhaustion DoS.
• Stricter trust handling for X-Forwarded-For headers.

The full audit report is available in docs/SECURITY_AUDIT_REPORT.md in the repository.

About Open Relay

Open Relay treats long‑running CLI and AI agent sessions as manageable services: start once, detach, inspect logs later, and send input only when needed. It is designed for building agent workflows that require durable, inspectable terminal sessions.

Repository: