feat: derive token cache expiry from JWT claim

Currently the code will cache a JWT for 5 minutes. This creates a timing
bug and forces unnecessary caching.

Since tokens are cached for 5 minutes, it is possible that a token with
1 second of expiration left is cached. The cache code pulls the token
out of the cache without any validation, the expired token will be used
for the next 4 minutes and 59 seconds.

This work sets the cache expiration time based on the token expiration
time. This results in each token being cached once and evicted from the
cache at expiration.

In cases where the JWT needs to be valid beyond this check (e.g., for
downstream requests), users can optionally choose to expire the cache
before the JWT expiration time with `TokenExpiryBuffer` option. This
option also ensures JWTs that are within the expiration window are
treated as expired.

Author: drombosky

api_test.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"reflect"
 	"strings"
 	"testing"
 	"time"
@@ -708,3 +709,75 @@ func TestWrapMCPEndpointWithValidToken(t *testing.T) {
 		t.Errorf("status = %d, want 200", rec.Code)
 	}
 }
+
+// TestTokenExpiryBuffer tests that the cache TTL is derived from the JWT exp claim.
+func TestTokenExpiryBuffer(t *testing.T) {
+	tests := []struct {
+		name              string
+		expirationFromNow time.Duration
+		tokenExpiryBuffer time.Duration
+		want              *User
+		wantErr           string
+	}{
+		{
+			name:              "success",
+			expirationFromNow: time.Minute,
+			want:              &User{Subject: "testuser"},
+		},
+		{
+			name:              "expired token",
+			expirationFromNow: -time.Minute,
+			wantErr:           "authentication failed: failed to parse and validate token: token has invalid claims: token is expired",
+		},
+		{
+			name:              "token expires in buffer",
+			tokenExpiryBuffer: 5 * time.Minute,
+			expirationFromNow: time.Minute,
+			wantErr:           "authentication failed: token expired or expiring too soon",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := &Config{
+				Mode:              "native",
+				Provider:          "hmac",
+				Audience:          "api://test",
+				JWTSecret:         []byte("test-secret-key-must-be-32-bytes-long!"),
+				ServerURL:         "https://test-server.com",
+				Issuer:            "https://test.example.com",
+				TokenExpiryBuffer: tt.tokenExpiryBuffer,
+			}
+			srv, err := NewServer(cfg)
+			if err != nil {
+				t.Fatalf("NewServer: %v", err)
+			}
+
+			// Create a valid HMAC token
+			token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+				"sub": "testuser",
+				"aud": "api://test",
+				"iss": "https://test.example.com",
+				"exp": time.Now().Add(tt.expirationFromNow).Unix(),
+			})
+			tokenString, _ := token.SignedString(cfg.JWTSecret)
+
+			user, err := srv.ValidateTokenCached(context.Background(), tokenString)
+			if tt.wantErr != "" {
+				if err == nil {
+					t.Fatalf("expected error containing %q, got nil", tt.wantErr)
+				}
+				if !strings.Contains(err.Error(), tt.wantErr) {
+					t.Errorf("expected error containing %q, got %q", tt.wantErr, err.Error())
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %s", err)
+			}
+			if !reflect.DeepEqual(user, tt.want) {
+				t.Errorf("expected user %v got user %v", tt.want, user)
+			}
+		})
+	}
+}

config.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/tuannvm/oauth-mcp-proxy/provider"
 )
@@ -41,6 +42,11 @@ type Config struct {
 	// The issuer URL to use for issuer validation.
 	// This should only be set if the issuer in the token differs from the standard issuer URL.
 	ValidatorIssuer string
+
+	// TokenExpiryBuffer is subtracted from the JWT's exp claim to determine
+	// effective cache expiry. Tokens with less than this duration remaining
+	// are treated as expired and rejected. Defaults to 0 (no buffer).
+	TokenExpiryBuffer time.Duration
 }
 
 // Validate validates the configuration
@@ -265,6 +271,13 @@ func (b *ConfigBuilder) WithValidatorIssuer(validatorIssuer string) *ConfigBuild
 	return b
 }
 
+// WithTokenExpiryBuffer sets the buffer subtracted from JWT exp for cache expiry.
+// Tokens with less than d remaining until expiry are treated as expired and rejected.
+func (b *ConfigBuilder) WithTokenExpiryBuffer(d time.Duration) *ConfigBuilder {
+	b.config.TokenExpiryBuffer = d
+	return b
+}
+
 // WithServerURL sets the full server URL directly
 func (b *ConfigBuilder) WithServerURL(url string) *ConfigBuilder {
 	b.config.ServerURL = url

context_propagation_test.go

@@ -41,7 +41,7 @@ func TestContextPropagation(t *testing.T) {
 
 		// Test 1: Normal context works
 		ctx := context.Background()
-		user, err := server.validator.ValidateToken(ctx, tokenString)
+		user, _, err := server.validator.ValidateToken(ctx, tokenString)
 		if err != nil {
 			t.Fatalf("ValidateToken with normal context failed: %v", err)
 		}
@@ -83,7 +83,7 @@ func TestContextPropagation(t *testing.T) {
 
 		// For HMAC validator (local-only), this still succeeds
 		// because HMAC doesn't do I/O and doesn't check context cancellation
-		user, err := server.validator.ValidateToken(ctx, tokenString)
+		user, _, err := server.validator.ValidateToken(ctx, tokenString)
 
 		// HMAC validation is local-only, so it succeeds even with cancelled context
 		if err != nil {
@@ -126,7 +126,7 @@ func TestContextPropagation(t *testing.T) {
 		defer cancel()
 
 		// Validate with timeout context
-		user, err := server.validator.ValidateToken(ctx, tokenString)
+		user, _, err := server.validator.ValidateToken(ctx, tokenString)
 		if err != nil {
 			t.Fatalf("ValidateToken with timeout context failed: %v", err)
 		}

docs/SECURITY.md

@@ -200,7 +200,8 @@ oauth.WithOAuth(mux, &oauth.Config{
 
 ### Cache Behavior
 
-- **Cache TTL:** 5 minutes (hardcoded in v0.1.0)
+- **Cache TTL:** No longer than the expiration on the JWT, expiry buffer
+  configurable
 - **Cache scope:** Per Server instance
 - **Cache key:** SHA-256 hash of token
 

integration_test.go

@@ -47,7 +47,7 @@ func TestIntegration(t *testing.T) {
 		tokenString, _ := token.SignedString(cfg.JWTSecret)
 
 		// Validate token using provider package directly
-		user, err := validator.ValidateToken(context.Background(), tokenString)
+		user, _, err := validator.ValidateToken(context.Background(), tokenString)
 		if err != nil {
 			t.Fatalf("ValidateToken failed: %v", err)
 		}
@@ -90,7 +90,7 @@ func TestIntegration(t *testing.T) {
 
 		tokenString, _ := token.SignedString(rootCfg.JWTSecret)
 
-		user, err := validator.ValidateToken(context.Background(), tokenString)
+		user, _, err := validator.ValidateToken(context.Background(), tokenString)
 		if err != nil {
 			t.Fatalf("ValidateToken after conversion failed: %v", err)
 		}
@@ -276,7 +276,7 @@ func TestValidatorIntegration(t *testing.T) {
 
 		tokenString, _ := token.SignedString(cfg.JWTSecret)
 
-		user, err := v.ValidateToken(context.Background(), tokenString)
+		user, _, err := v.ValidateToken(context.Background(), tokenString)
 		if err != nil {
 			t.Fatalf("ValidateToken failed: %v", err)
 		}

middleware.go

@@ -2,12 +2,10 @@ package oauth
 
 import (
 	"context"
-	"crypto/sha256"
 	"fmt"
 	"log"
 	"net/http"
 	"strings"
-	"time"
 
 	"github.com/mark3labs/mcp-go/mcp"
 	"github.com/mark3labs/mcp-go/server"
@@ -38,36 +36,13 @@ func (s *Server) Middleware() func(server.ToolHandlerFunc) server.ToolHandlerFun
 				return nil, fmt.Errorf("authentication required: missing OAuth token")
 			}
 
-			// Create token hash for caching
-			tokenHash := fmt.Sprintf("%x", sha256.Sum256([]byte(tokenString)))
-
-			// Check cache first
-			if cached, exists := s.cache.getCachedToken(tokenHash); exists {
-				s.logger.Info("Using cached authentication for tool: %s (user: %s)", req.Params.Name, cached.User.Username)
-				ctx = context.WithValue(ctx, userContextKey, cached.User)
-				return next(ctx, req)
-			}
-
-			// Log token hash for debugging (prevents sensitive data exposure)
-			tokenHashFull := fmt.Sprintf("%x", sha256.Sum256([]byte(tokenString)))
-			tokenHashPreview := tokenHashFull[:16] + "..."
-			s.logger.Info("Validating token for tool %s (hash: %s)", req.Params.Name, tokenHashPreview)
-
-			// Validate token using configured provider (with request context for timeout/cancellation)
-			user, err := s.validator.ValidateToken(ctx, tokenString)
+			user, err := s.ValidateTokenCached(ctx, tokenString)
 			if err != nil {
 				s.logger.Error("Token validation failed for tool %s: %v", req.Params.Name, err)
 				return nil, fmt.Errorf("authentication failed: %w", err)
 			}
-
-			// Cache the validation result (expire in 5 minutes)
-			expiresAt := time.Now().Add(5 * time.Minute)
-			s.cache.setCachedToken(tokenHash, user, expiresAt)
-
-			// Add user to context for downstream handlers
 			ctx = context.WithValue(ctx, userContextKey, user)
-			s.logger.Info("Authenticated user %s for tool: %s (cached for 5 minutes)", user.Username, req.Params.Name)
-
+			s.logger.Info("Authenticated user %s for tool: %s", user.Username, req.Params.Name)
 			return next(ctx, req)
 		}
 	}

oauth.go

@@ -104,9 +104,9 @@ func (s *Server) RegisterHandlers(mux *http.ServeMux) {
 // This is the core validation method that SDK adapters can use.
 //
 // The method:
-//  1. Checks token cache (5-minute TTL)
+//  1. Checks token cache (keyed by SHA-256 hash)
 //  2. Validates token using configured provider if not cached
-//  3. Caches validation result for future requests
+//  3. Caches validation result until JWT exp (minus TokenExpiryBuffer)
 //  4. Returns authenticated User or error
 //
 // This method is used internally by both WrapHandler and adapter middleware.
@@ -120,16 +120,22 @@ func (s *Server) ValidateTokenCached(ctx context.Context, token string) (*User,
 
 	s.logger.Info("Validating token (hash: %s...)", tokenHash[:16])
 
-	user, err := s.validator.ValidateToken(ctx, token)
+	user, expiry, err := s.validator.ValidateToken(ctx, token)
 	if err != nil {
 		s.logger.Error("Token validation failed: %v", err)
 		return nil, fmt.Errorf("authentication failed: %w", err)
 	}
 
-	expiresAt := time.Now().Add(5 * time.Minute)
-	s.cache.setCachedToken(tokenHash, user, expiresAt)
+	if s.config != nil {
+		expiry = expiry.Add(-s.config.TokenExpiryBuffer)
+	}
+	if time.Now().After(expiry) {
+		return nil, fmt.Errorf("authentication failed: token expired or expiring too soon")
+	}
+
+	s.cache.setCachedToken(tokenHash, user, expiry)
 
-	s.logger.Info("Authenticated user %s (cached for 5 minutes)", user.Username)
+	s.logger.Info("Authenticated user %s (cache expires at %s)", user.Username, expiry.Format(time.RFC3339))
 	return user, nil
 }
 

provider/provider.go

@@ -41,7 +41,7 @@ type Config struct {
 
 // TokenValidator interface for OAuth token validation
 type TokenValidator interface {
-	ValidateToken(ctx context.Context, token string) (*User, error)
+	ValidateToken(ctx context.Context, token string) (*User, time.Time, error)
 	Initialize(cfg *Config) error
 }
 
@@ -80,7 +80,7 @@ func (v *HMACValidator) Initialize(cfg *Config) error {
 }
 
 // ValidateToken validates JWT token using HMAC-SHA256
-func (v *HMACValidator) ValidateToken(ctx context.Context, tokenString string) (*User, error) {
+func (v *HMACValidator) ValidateToken(ctx context.Context, tokenString string) (*User, time.Time, error) {
 	// Note: ctx parameter accepted for interface compliance, but HMAC validation is local-only (no I/O)
 	// Remove Bearer prefix if present
 	tokenString = strings.TrimPrefix(tokenString, "Bearer ")
@@ -94,26 +94,26 @@ func (v *HMACValidator) ValidateToken(ctx context.Context, tokenString string) (
 		return []byte(v.secret), nil
 	})
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse and validate token: %w", err)
+		return nil, time.Time{}, fmt.Errorf("failed to parse and validate token: %w", err)
 	}
 
 	if !token.Valid {
-		return nil, fmt.Errorf("invalid token")
+		return nil, time.Time{}, fmt.Errorf("invalid token")
 	}
 
 	claims, ok := token.Claims.(jwt.MapClaims)
 	if !ok {
-		return nil, fmt.Errorf("invalid token claims")
+		return nil, time.Time{}, fmt.Errorf("invalid token claims")
 	}
 
 	// Validate required claims including audience
 	if err := validateTokenClaims(claims); err != nil {
-		return nil, fmt.Errorf("token validation failed: %w", err)
+		return nil, time.Time{}, fmt.Errorf("token validation failed: %w", err)
 	}
 
 	// Validate audience claim for security
 	if err := v.validateAudience(claims); err != nil {
-		return nil, fmt.Errorf("audience validation failed: %w", err)
+		return nil, time.Time{}, fmt.Errorf("audience validation failed: %w", err)
 	}
 
 	// Extract user information
@@ -124,10 +124,17 @@ func (v *HMACValidator) ValidateToken(ctx context.Context, tokenString string) (
 	}
 
 	if user.Subject == "" {
-		return nil, fmt.Errorf("missing subject in token")
+		return nil, time.Time{}, fmt.Errorf("missing subject in token")
 	}
 
-	return user, nil
+	// Extract expiry from already-parsed claims defaulting to 5 minutes in the
+	// future.
+	expiry := time.Now().Add(5 * time.Minute)
+	if expVal, ok := claims["exp"].(float64); ok {
+		expiry = time.Unix(int64(expVal), 0)
+	}
+
+	return user, expiry, nil
 }
 
 // validateAudience validates the audience claim matches the expected value
@@ -223,7 +230,7 @@ func (v *OIDCValidator) Initialize(cfg *Config) error {
 }
 
 // ValidateToken validates JWT token using OIDC/JWKS
-func (v *OIDCValidator) ValidateToken(ctx context.Context, tokenString string) (*User, error) {
+func (v *OIDCValidator) ValidateToken(ctx context.Context, tokenString string) (*User, time.Time, error) {
 	// Remove Bearer prefix if present
 	tokenString = strings.TrimPrefix(tokenString, "Bearer ")
 
@@ -234,7 +241,7 @@ func (v *OIDCValidator) ValidateToken(ctx context.Context, tokenString string) (
 	// go-oidc handles RSA signature validation, JWKS fetching, and key rotation
 	idToken, err := v.verifier.Verify(ctx, tokenString)
 	if err != nil {
-		return nil, fmt.Errorf("token verification failed: %w", err)
+		return nil, time.Time{}, fmt.Errorf("token verification failed: %w", err)
 	}
 
 	// Extract claims from verified token
@@ -253,28 +260,28 @@ func (v *OIDCValidator) ValidateToken(ctx context.Context, tokenString string) (
 	}
 
 	if err := idToken.Claims(&claims); err != nil {
-		return nil, fmt.Errorf("failed to extract claims: %w", err)
+		return nil, time.Time{}, fmt.Errorf("failed to extract claims: %w", err)
 	}
 
 	// Extract raw claims for audience validation
 	var rawClaims jwt.MapClaims
 	if err := idToken.Claims(&rawClaims); err != nil {
-		return nil, fmt.Errorf("failed to extract raw claims: %w", err)
+		return nil, time.Time{}, fmt.Errorf("failed to extract raw claims: %w", err)
 	}
 
 	// Run extra validation functions
 	for i, fn := range v.TokenValidators {
 		err := fn(rawClaims)
 		if err != nil {
-			return nil, fmt.Errorf("validation function %d failed with error: %w", i, err)
+			return nil, time.Time{}, fmt.Errorf("validation function %d failed with error: %w", i, err)
 		}
 	}
 
 	return &User{
 		Subject:  claims.Subject,
 		Username: claims.PreferredUsername,
 		Email:    claims.Email,
-	}, nil
+	}, idToken.Expiry, nil
 }
 
 // validateAudience validates the audience claim matches the expected value for OIDC tokens