feat: add server.oauth config section with separate TTLs and enabled flag

OAuth endpoints now have dedicated config (enabled, accessTokenTtl,
refreshTokenTtl, authCodeTtl) separate from UI JWT tokens. Disabled
by default — set server.oauth.enabled: true to activate.

Author: prih

docs/authentication.md

@@ -188,7 +188,7 @@ Authorization: Bearer mgm-key-abc123
 
 ### Option 2 — OAuth 2.0
 
-The server implements RFC 8414 OAuth 2.0 Authorization Server Metadata. `jwtSecret` must be set in the config for OAuth to work.
+The server implements RFC 8414 OAuth 2.0 Authorization Server Metadata. `jwtSecret` must be set in the config for OAuth to work. OAuth is disabled by default; enable it with `server.oauth.enabled: true`. Token TTLs are configured separately from UI tokens via `server.oauth.accessTokenTtl` (default `1h`), `server.oauth.refreshTokenTtl` (default `7d`), and `server.oauth.authCodeTtl` (default `10m`).
 
 #### Discovery manifest
 
@@ -234,7 +234,7 @@ grant_type=client_credentials&client_id=<userId>&client_secret=<apiKey>
 }
 ```
 
-The `access_token` is a short-lived JWT (1 hour) signed with `jwtSecret`, with payload `{ userId, type: 'oauth_access' }`.
+The `access_token` is a short-lived JWT (default 1 hour, configurable via `server.oauth.accessTokenTtl`) signed with `jwtSecret`, with payload `{ userId, type: 'oauth_access' }`.
 
 #### Grant type: authorization_code + PKCE
 

docs/configuration.md

@@ -48,6 +48,11 @@ server:
   cookieSecure: true
   accessTokenTtl: "15m"
   refreshTokenTtl: "7d"
+  oauth:
+    enabled: false
+    accessTokenTtl: "1h"
+    refreshTokenTtl: "7d"
+    authCodeTtl: "10m"
   maxFileSize: 1048576
   exclude: "**/vendor/**"
   rateLimit:
@@ -163,6 +168,16 @@ workspaces:
 | `rateLimit` | object | — | Rate limiting: `global` (default 600), `search` (default 120), `auth` (default 10) requests/min |
 | `maxFileSize` | number | `1048576` | Max file size in bytes for indexing (1 MB default). Also settable at workspace/project level |
 | `exclude` | string | — | Additional glob to exclude (merged with default `**/node_modules/**`, `**/dist/**`) |
+| `oauth` | object | (see below) | OAuth 2.0 configuration |
+
+## OAuth config
+
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `enabled` | boolean | `false` | Enable/disable OAuth 2.0 endpoints. When `false`, discovery and all OAuth routes return 404 |
+| `accessTokenTtl` | string | `1h` | OAuth access token lifetime (separate from UI `accessTokenTtl`) |
+| `refreshTokenTtl` | string | `7d` | OAuth refresh token lifetime (separate from UI `refreshTokenTtl`) |
+| `authCodeTtl` | string | `10m` | Authorization code lifetime for PKCE flow |
 
 ## Model config
 

graph-memory.yaml.example

@@ -51,6 +51,13 @@ server:
   # accessTokenTtl: "15m"                       # JWT access token lifetime (default: 15m)
   # refreshTokenTtl: "7d"                       # JWT refresh token lifetime (default: 7d)
   # maxFileSize: 1048576                        # Max file size for indexing in bytes (default: 1 MB)
+
+  # OAuth 2.0 settings (separate from UI JWT tokens above)
+  # oauth:
+  #   enabled: true                              # Enable OAuth endpoints (default: false)
+  #   accessTokenTtl: "1h"                       # OAuth access token lifetime (default: 1h)
+  #   refreshTokenTtl: "7d"                      # OAuth refresh token lifetime (default: 7d)
+  #   authCodeTtl: "10m"                         # Authorization code TTL for PKCE flow (default: 10m)
   # exclude: "**/vendor/**"                     # Additional glob to exclude (merged with default: **/node_modules/**, **/dist/**)
 
   # Redis (optional — session store for OAuth codes/sessions + embedding cache)

src/api/rest/index.ts

@@ -229,7 +229,9 @@ export function createRestApp(projectManager: ProjectManager, options?: RestAppO
   });
 
   // --- OAuth 2.0 endpoints (before auth middleware — unauthenticated) ---
-  app.use('/', createOAuthRouter(users, serverConfig, options?.sessionStore));
+  if (serverConfig?.oauth?.enabled !== false) {
+    app.use('/', createOAuthRouter(users, serverConfig, options?.sessionStore));
+  }
 
   // --- Auth middleware: cookie JWT → Bearer apiKey → anonymous ---
   if (hasUsers) {

src/api/rest/oauth.ts

@@ -5,8 +5,6 @@ import { resolveUserFromApiKey } from '@/lib/access';
 import type { UserConfig, ServerConfig } from '@/lib/multi-config';
 import { MemorySessionStore, type SessionStore } from '@/lib/session-store';
 
-const AUTH_CODE_TTL_S = 600; // 10 minutes
-
 function verifyPkce(codeVerifier: string, codeChallenge: string): boolean {
   const hash = crypto.createHash('sha256').update(codeVerifier).digest();
   const computed = hash.toString('base64url');
@@ -47,8 +45,10 @@ export function createOAuthRouter(
   router.use(express.json());
   const hasUsers = Object.keys(users).length > 0;
   const jwtSecret = serverConfig?.jwtSecret;
-  const accessTtl = serverConfig?.accessTokenTtl ?? '15m';
-  const refreshTtl = serverConfig?.refreshTokenTtl ?? '7d';
+  const oauthCfg = serverConfig?.oauth;
+  const accessTtl = oauthCfg?.accessTokenTtl ?? '1h';
+  const refreshTtl = oauthCfg?.refreshTokenTtl ?? '7d';
+  const authCodeTtlS = oauthCfg?.authCodeTtl ? parseTtl(oauthCfg.authCodeTtl) : 600;
   const store = sessionStore ?? new MemorySessionStore();
 
   // RFC 8414 — OAuth Authorization Server Metadata
@@ -100,7 +100,7 @@ export function createOAuthRouter(
       userId: payload.userId,
       redirectUri: redirect_uri,
       codeChallenge: code_challenge,
-    }), AUTH_CODE_TTL_S);
+    }), authCodeTtlS);
 
     const callbackParams = new URLSearchParams({ code });
     if (state) callbackParams.set('state', state);

src/lib/multi-config.ts

@@ -98,6 +98,13 @@ const rateLimitSchema = z.object({
   auth:   z.number().int().min(0).optional(),   // req/min per IP for login
 });
 
+const oauthSchema = z.object({
+  enabled:         z.boolean().optional(),
+  accessTokenTtl:  z.string().optional(),
+  refreshTokenTtl: z.string().optional(),
+  authCodeTtl:     z.string().optional(),
+});
+
 const redisSchema = z.object({
   enabled:            z.boolean().optional(),
   url:                z.string().optional(),
@@ -125,6 +132,7 @@ const serverSchema = z.object({
   maxFileSize:     z.number().int().positive().optional(),
   exclude:         excludeSchema,
   redis:           redisSchema.optional(),
+  oauth:           oauthSchema.optional(),
 });
 
 const wsGraphConfigSchema = z.object({
@@ -226,6 +234,13 @@ export function embeddingFingerprint(model: ModelConfig): string {
   return `${model.name}|${model.pooling}|${model.normalize}|${model.dtype ?? ''}|${model.documentPrefix}`;
 }
 
+export interface OAuthConfig {
+  enabled: boolean;
+  accessTokenTtl: string;
+  refreshTokenTtl: string;
+  authCodeTtl: string;
+}
+
 export interface RateLimitConfig {
   global: number;   // req/min per IP (0 = disabled)
   search: number;   // req/min per IP for search/embed
@@ -252,6 +267,7 @@ export interface ServerConfig {
   maxFileSize: number;
   exclude: string[];
   redis: RedisConfig;
+  oauth: OAuthConfig;
 }
 
 export interface GraphConfig {
@@ -345,6 +361,13 @@ const EMBEDDING_DEFAULTS: EmbeddingConfig = {
   cacheSize:      10_000,
 };
 
+const OAUTH_DEFAULTS: OAuthConfig = {
+  enabled:         false,
+  accessTokenTtl:  '1h',
+  refreshTokenTtl: '7d',
+  authCodeTtl:     '10m',
+};
+
 const RATE_LIMIT_DEFAULTS: RateLimitConfig = {
   global: 600,
   search: 120,
@@ -366,6 +389,7 @@ const SERVER_DEFAULTS: Omit<ServerConfig, 'embedding'> & { embedding: EmbeddingC
   maxFileSize:     1 * 1024 * 1024,  // 1 MB
   exclude:         ['**/node_modules/**', '**/dist/**'],
   redis:           { ...REDIS_DEFAULTS },
+  oauth:           { ...OAUTH_DEFAULTS },
 };
 
 const PROJECT_DEFAULTS = {
@@ -479,6 +503,12 @@ export function loadMultiConfig(yamlPath: string): MultiConfig {
       prefix:            srv.redis?.prefix            ?? REDIS_DEFAULTS.prefix,
       embeddingCacheTtl: srv.redis?.embeddingCacheTtl ?? REDIS_DEFAULTS.embeddingCacheTtl,
     },
+    oauth: {
+      enabled:         srv.oauth?.enabled         ?? OAUTH_DEFAULTS.enabled,
+      accessTokenTtl:  srv.oauth?.accessTokenTtl  ?? OAUTH_DEFAULTS.accessTokenTtl,
+      refreshTokenTtl: srv.oauth?.refreshTokenTtl ?? OAUTH_DEFAULTS.refreshTokenTtl,
+      authCodeTtl:     srv.oauth?.authCodeTtl     ?? OAUTH_DEFAULTS.authCodeTtl,
+    },
   };
 
   // Users
@@ -649,6 +679,7 @@ export function defaultConfig(projectDir: string): MultiConfig {
     maxFileSize:     SERVER_DEFAULTS.maxFileSize,
     exclude:         [...SERVER_DEFAULTS.exclude],
     redis:           { ...REDIS_DEFAULTS },
+    oauth:           { ...OAUTH_DEFAULTS },
   };
 
   const graphConfigs = {} as Record<GraphName, GraphConfig>;

src/tests/access.test.ts

@@ -40,6 +40,7 @@ function makeServerConfig(overrides?: Partial<ServerConfig>): ServerConfig {
     rateLimit: { global: 200, search: 60, auth: 10 },
     maxFileSize: 1048576,
     redis: { enabled: false, url: 'redis://localhost:6379', prefix: 'mgm:', embeddingCacheTtl: '30d' },
+    oauth: { enabled: true, accessTokenTtl: '1h', refreshTokenTtl: '7d', authCodeTtl: '10m' },
     ...overrides,
   };
 }

src/tests/oauth.test.ts

@@ -22,7 +22,11 @@ const USERS: Record<string, UserConfig> = {
   bob:   { name: 'Bob',   email: 'bob@example.com',   apiKey: 'mgm-key-bob'   },
 };
 
-const SERVER_CONFIG = { jwtSecret: SECRET, accessTokenTtl: '1h', refreshTokenTtl: '7d' } as any;
+const SERVER_CONFIG = {
+  jwtSecret: SECRET,
+  accessTokenTtl: '15m', refreshTokenTtl: '7d',
+  oauth: { enabled: true, accessTokenTtl: '1h', refreshTokenTtl: '7d', authCodeTtl: '10m' },
+} as any;
 
 function buildApp(users: Record<string, UserConfig>, serverConfig?: any): express.Express {
   const app = express();

src/tests/rest-api-gaps.test.ts

@@ -598,6 +598,7 @@ describe('CORS credentials', () => {
         defaultAccess: 'rw',
         accessTokenTtl: '15m', refreshTokenTtl: '7d', rateLimit: { global: 0, search: 0, auth: 0 }, maxFileSize: 1048576, exclude: [],
         redis: { enabled: false, url: 'redis://localhost:6379', prefix: 'mgm:', embeddingCacheTtl: '30d' },
+        oauth: { enabled: true, accessTokenTtl: '1h', refreshTokenTtl: '7d', authCodeTtl: '10m' },
       },
     });
     const res = await request(app)

src/tests/rest-api.test.ts

@@ -842,6 +842,7 @@ describe('REST API — Auth & ACL', () => {
         access: { admin: 'rw' },
         accessTokenTtl: '15m', refreshTokenTtl: '7d', rateLimit: { global: 0, search: 0, auth: 0 }, maxFileSize: 1048576, exclude: [],
         redis: { enabled: false, url: 'redis://localhost:6379', prefix: 'mgm:', embeddingCacheTtl: '30d' },
+        oauth: { enabled: true, accessTokenTtl: '1h', refreshTokenTtl: '7d', authCodeTtl: '10m' },
       },
       users: {
         admin: { name: 'Admin', email: 'admin@test.com', apiKey: 'key-admin' },
@@ -891,6 +892,7 @@ describe('REST API — Auth & ACL', () => {
         access: { reader: 'r' },
         accessTokenTtl: '15m', refreshTokenTtl: '7d', rateLimit: { global: 0, search: 0, auth: 0 }, maxFileSize: 1048576, exclude: [],
         redis: { enabled: false, url: 'redis://localhost:6379', prefix: 'mgm:', embeddingCacheTtl: '30d' },
+        oauth: { enabled: true, accessTokenTtl: '1h', refreshTokenTtl: '7d', authCodeTtl: '10m' },
       },
       users: {
         reader: { name: 'Reader', email: 'reader@test.com', apiKey: 'key-reader' },
@@ -959,6 +961,7 @@ describe('REST API — Embedding API', () => {
         defaultAccess: 'rw',
         accessTokenTtl: '15m', refreshTokenTtl: '7d', rateLimit: { global: 0, search: 0, auth: 0 }, maxFileSize: 1048576, exclude: [],
         redis: { enabled: false, url: 'redis://localhost:6379', prefix: 'mgm:', embeddingCacheTtl: '30d' },
+        oauth: { enabled: true, accessTokenTtl: '1h', refreshTokenTtl: '7d', authCodeTtl: '10m' },
       },
       embeddingApiModelNames: { default: EMBED_MODEL_NAME, code: EMBED_MODEL_NAME },
     });
@@ -1029,6 +1032,7 @@ describe('REST API — Embedding API', () => {
         defaultAccess: 'rw',
         accessTokenTtl: '15m', refreshTokenTtl: '7d', rateLimit: { global: 0, search: 0, auth: 0 }, maxFileSize: 1048576, exclude: [],
         redis: { enabled: false, url: 'redis://localhost:6379', prefix: 'mgm:', embeddingCacheTtl: '30d' },
+        oauth: { enabled: true, accessTokenTtl: '1h', refreshTokenTtl: '7d', authCodeTtl: '10m' },
       },
     });
     const res = await request(noEmbedApp).post('/api/embed').send({ texts: ['test'] });
@@ -1073,6 +1077,7 @@ describe('REST API — JWT Cookie Auth', () => {
         jwtSecret: JWT_SECRET,
         accessTokenTtl: '15m', refreshTokenTtl: '7d', rateLimit: { global: 0, search: 0, auth: 0 }, maxFileSize: 1048576, exclude: [],
         redis: { enabled: false, url: 'redis://localhost:6379', prefix: 'mgm:', embeddingCacheTtl: '30d' },
+        oauth: { enabled: true, accessTokenTtl: '1h', refreshTokenTtl: '7d', authCodeTtl: '10m' },
       },
       users: {
         admin: { name: 'Admin', email: 'admin@test.com', apiKey: 'key-admin', passwordHash: adminPasswordHash },