instructure · bfcoder · Mar 21, 2022
diff --git a/app/models/users/access_verifier.rb b/app/models/users/access_verifier.rb
@@ -21,8 +21,6 @@
 
 module Users
   module AccessVerifier
-    TTL_MINUTES = 5
-
     class InvalidVerifier < RuntimeError
     end
 
@@ -40,7 +38,7 @@ def self.generate(claims)
       jwt_claims[:root_account_id] = root_account.global_id.to_s if root_account
       jwt_claims.merge!(claims.slice(:oauth_host, :return_url, :fallback_url))
 
-      expires = TTL_MINUTES.minutes.from_now
+      expires = Setting.get("access_verifier.ttl_minutes", "5").to_i.minutes.from_now
       key = nil # use default key
       { sf_verifier: Canvas::Security.create_jwt(jwt_claims, expires, key, :HS512) }
     end

diff --git a/spec/controllers/files_controller_spec.rb b/spec/controllers/files_controller_spec.rb
@@ -367,7 +367,7 @@ def file_with_path(path)
 
       # second use after verifier expiration but before session expiration.
       # expired verifier should be ignored but session should still be extended
-      Timecop.freeze((Users::AccessVerifier::TTL_MINUTES + 1).minutes.from_now) do
+      Timecop.freeze((Setting.get("access_verifier.ttl_minutes", "5").to_i + 1).minutes.from_now) do
         get "show", params: verifier.merge(id: file.id)
       end
       expect(response).to be_successful

diff --git a/spec/models/users/access_verifier_spec.rb b/spec/models/users/access_verifier_spec.rb
@@ -91,7 +91,7 @@ module Users
 
       it "raises InvalidVerifier if too old" do
         verifier = Users::AccessVerifier.generate(user: user)
-        Timecop.freeze(10.minutes.from_now) do
+        Timecop.freeze((Setting.get("access_verifier.ttl_minutes", "5").to_i + 1).minutes.from_now) do
           expect { Users::AccessVerifier.validate(verifier) }.to raise_exception(Canvas::Security::TokenExpired)
         end
       end