Make mailbox TTL configurable, default to 1 week

Remove read/unread TTL distinction to close a metadata side
channel. TTL is now operator-configurable via Config, defaulting
to 1 week.

Removes early_removal_count, mark_read(), read_order,
read_mailbox_ids, and the now-dead capacity eviction block.
Fix is_none handling in prune to warn without logging shortid.

Author: Arowolokehinde

payjoin-mailroom/src/config.rs

@@ -12,6 +12,8 @@ pub struct Config {
     pub storage_dir: PathBuf,
     #[serde(deserialize_with = "deserialize_duration_secs")]
     pub timeout: Duration,
+    #[serde(deserialize_with = "deserialize_duration_secs")]
+    pub mailbox_ttl: Duration,
     pub v1: Option<V1Config>,
     #[cfg(feature = "telemetry")]
     pub telemetry: Option<TelemetryConfig>,
@@ -85,6 +87,7 @@ impl Default for Config {
             listener: "[::]:8080".parse().expect("valid default listener address"),
             storage_dir: PathBuf::from("./data"),
             timeout: Duration::from_secs(30),
+            mailbox_ttl: Duration::from_secs(60 * 60 * 24 * 7), // 1 week
             v1: None,
             #[cfg(feature = "telemetry")]
             telemetry: None,
@@ -115,6 +118,7 @@ impl Config {
             listener,
             storage_dir,
             timeout,
+            mailbox_ttl: Duration::from_secs(60 * 60 * 24 * 7), // 1 week
             v1,
             #[cfg(feature = "telemetry")]
             telemetry: None,

payjoin-mailroom/src/db/files.rs

@@ -11,7 +11,7 @@ use rand::RngCore;
 use tokio::fs::{self, File};
 use tokio::io::{self, AsyncReadExt, AsyncWriteExt};
 use tokio::sync::{oneshot, Mutex};
-use tracing::trace;
+use tracing::{trace, warn};
 
 use crate::db::{Db as DbTrait, Error as DbError};
 
@@ -21,12 +21,6 @@ use crate::db::{Db as DbTrait, Error as DbError};
 /// mailboxes/tx, ~4K txs/block, and ~144 blocks/24h.
 const DEFAULT_CAPACITY: usize = 1 << (1 + 12 + 8);
 
-/// How long a mailbox is retained before being pruned, regardless of
-/// whether it has been read.
-/// Matches the default receiver session lifetime
-/// (`TWENTY_FOUR_HOURS_DEFAULT_EXPIRATION` in `payjoin::receive::v2`)
-const DEFAULT_TTL: Duration = Duration::from_secs(60 * 60 * 24); // 24 hours
-
 #[derive(Debug)]
 struct V2WaitMapEntry {
     receiver: future::Shared<oneshot::Receiver<Arc<Vec<u8>>>>,
@@ -49,7 +43,6 @@ pub(crate) struct Mailboxes {
     pending_v2: HashMap<ShortId, V2WaitMapEntry>,
     insert_order: VecDeque<(SystemTime, ShortId)>,
     ttl: Duration,
-    early_removal_count: usize,
 }
 
 #[derive(Debug)]
@@ -194,7 +187,7 @@ impl DiskStorage {
 }
 
 impl Mailboxes {
-    async fn init(dir: PathBuf) -> io::Result<Self> {
+    async fn init(dir: PathBuf, ttl: Duration) -> io::Result<Self> {
         let storage = DiskStorage::init(dir).await?;
         let insert_order = storage.insert_order().await?.into();
         Ok(Self {
@@ -203,8 +196,7 @@ impl Mailboxes {
             capacity: DEFAULT_CAPACITY,
             pending_v1: HashMap::default(),
             pending_v2: HashMap::default(),
-            ttl: DEFAULT_TTL,
-            early_removal_count: 0,
+            ttl,
         })
     }
 }
@@ -216,8 +208,8 @@ pub struct FilesDb {
 }
 
 impl FilesDb {
-    pub async fn init(timeout: Duration, path: PathBuf) -> io::Result<Self> {
-        Ok(Self { timeout, mailboxes: Arc::new(Mutex::new(Mailboxes::init(path).await?)) })
+    pub async fn init(timeout: Duration, path: PathBuf, ttl: Duration) -> io::Result<Self> {
+        Ok(Self { timeout, mailboxes: Arc::new(Mutex::new(Mailboxes::init(path, ttl).await?)) })
     }
 
     pub async fn prune(&self) -> io::Result<Duration> { self.mailboxes.lock().await.prune().await }
@@ -437,9 +429,7 @@ impl Mailboxes {
     }
 
     fn len(&self) -> usize {
-        (self.insert_order.len() - self.early_removal_count)
-            + self.pending_v1.len()
-            + self.pending_v2.len()
+        self.insert_order.len() + self.pending_v1.len() + self.pending_v2.len()
     }
 
     async fn maybe_prune(&mut self) -> io::Result<Duration> {
@@ -467,36 +457,17 @@ impl Mailboxes {
         // Prune any fully expired mailboxes
         while let Some((created, id)) = self.insert_order.front().cloned() {
             if created + self.ttl < now {
-                debug_assert!(self.insert_order.len() >= self.early_removal_count);
                 _ = self.insert_order.pop_front();
                 if self.remove(&id).await?.is_none() {
-                    self.early_removal_count = self
-                        .early_removal_count
-                        .checked_sub(1)
-                        .expect("early removal adjustment should never underflow");
+                    warn!("Mailbox file missing during prune; possible external deletion or disk error");
+                } else {
+                    trace!("Pruned old mailbox {id}");
                 }
-                debug_assert!(self.insert_order.len() >= self.early_removal_count);
-                trace!("Pruned old mailbox {id}");
             } else {
                 break;
             }
         }
 
-        // If no room was created, try to prune the oldest mailbox if
-        // it's over the TTL
-        debug_assert!(self.len() <= self.capacity);
-        if self.len() == self.capacity {
-            if let Some((created, id)) = self.insert_order.front().cloned() {
-                if created + self.ttl < now {
-                    _ = self.insert_order.pop_front();
-                    self.remove(&id).await?;
-                    trace!("Pruned mailbox {id} to make room");
-                } else {
-                    trace!("Nothing to prune, {} entries remain", self.len());
-                }
-            }
-        }
-
         Ok(self.next_prune())
     }
 
@@ -704,9 +675,13 @@ async fn test_disk_storage_mailboxes() -> std::io::Result<()> {
 async fn test_mailbox_storage() -> std::io::Result<()> {
     let dir = tempfile::tempdir()?;
 
-    let db = FilesDb::init(Duration::from_millis(10), dir.path().to_owned())
-        .await
-        .expect("initializing mailbox database should succeed");
+    let db = FilesDb::init(
+        Duration::from_millis(10),
+        dir.path().to_owned(),
+        Duration::from_secs(60 * 60 * 24 * 7),
+    )
+    .await
+    .expect("initializing mailbox database should succeed");
 
     let id = ShortId([0u8; 8]);
     let contents = b"foo bar";
@@ -725,9 +700,13 @@ async fn test_mailbox_storage() -> std::io::Result<()> {
 async fn test_v2_wait() -> std::io::Result<()> {
     let dir = tempfile::tempdir()?;
 
-    let db = FilesDb::init(Duration::from_millis(1), dir.path().to_owned())
-        .await
-        .expect("initializing mailbox database should succeed");
+    let db = FilesDb::init(
+        Duration::from_millis(1),
+        dir.path().to_owned(),
+        Duration::from_secs(60 * 60 * 24 * 7),
+    )
+    .await
+    .expect("initializing mailbox database should succeed");
 
     let id = ShortId([0u8; 8]);
     let contents = b"foo bar";
@@ -782,9 +761,13 @@ async fn test_v1_wait() -> std::io::Result<()> {
     let dir = tempfile::tempdir()?;
 
     let db = Arc::new(
-        FilesDb::init(Duration::from_millis(1), dir.path().to_owned())
-            .await
-            .expect("initializing mailbox database should succeed"),
+        FilesDb::init(
+            Duration::from_millis(1),
+            dir.path().to_owned(),
+            Duration::from_secs(60 * 60 * 24 * 7),
+        )
+        .await
+        .expect("initializing mailbox database should succeed"),
     );
 
     let id = ShortId([0u8; 8]);
@@ -829,9 +812,13 @@ async fn test_v1_data_minimization() -> std::io::Result<()> {
     let dir = tempfile::tempdir()?;
 
     let db = Arc::new(
-        FilesDb::init(Duration::from_millis(500), dir.path().to_owned())
-            .await
-            .expect("initializing mailbox database should succeed"),
+        FilesDb::init(
+            Duration::from_millis(500),
+            dir.path().to_owned(),
+            Duration::from_secs(60 * 60 * 24 * 7),
+        )
+        .await
+        .expect("initializing mailbox database should succeed"),
     );
 
     let id = ShortId([0u8; 8]);
@@ -884,9 +871,13 @@ async fn test_v1_data_minimization() -> std::io::Result<()> {
 async fn test_prune() -> std::io::Result<()> {
     let dir = tempfile::tempdir()?;
 
-    let db = FilesDb::init(Duration::from_millis(2), dir.path().to_owned())
-        .await
-        .expect("initializing mailbox database should succeed");
+    let db = FilesDb::init(
+        Duration::from_millis(2),
+        dir.path().to_owned(),
+        Duration::from_secs(60 * 60 * 24 * 7),
+    )
+    .await
+    .expect("initializing mailbox database should succeed");
 
     let ttl = Duration::from_secs(600);
 

payjoin-mailroom/src/directory.rs

@@ -591,7 +591,13 @@ mod tests {
 
     async fn test_service(v1: Option<V1>) -> Service<FilesDb> {
         let dir = tempfile::tempdir().expect("tempdir");
-        let db = FilesDb::init(Duration::from_millis(100), dir.keep()).await.expect("db init");
+        let db = FilesDb::init(
+            Duration::from_millis(100),
+            dir.keep(),
+            Duration::from_secs(60 * 60 * 24 * 7),
+        )
+        .await
+        .expect("db init");
         let ohttp: ohttp::Server =
             crate::key_config::gen_ohttp_server_config().expect("ohttp config").into();
         Service::new(db, ohttp, SentinelTag::new([0u8; 32]), v1)

payjoin-mailroom/src/lib.rs

@@ -221,7 +221,9 @@ async fn init_directory(
     config: &Config,
     sentinel_tag: SentinelTag,
 ) -> anyhow::Result<crate::directory::Service<crate::db::DbServiceAdapter>> {
-    let files_db = crate::db::FilesDb::init(config.timeout, config.storage_dir.clone()).await?;
+    let files_db =
+        crate::db::FilesDb::init(config.timeout, config.storage_dir.clone(), config.mailbox_ttl)
+            .await?;
     files_db.spawn_background_prune().await;
     let db = crate::db::DbServiceAdapter::new(files_db);