A Scoped, Expiring Auth Context
"Share this for 24 hours" usually means a database row tracking expiry, or a signed URL with a server checking a clock somewhere. Here it's just a document: something that knows its own expiration, encrypts its own payload, and refuses to open once time's up — no infrastructure standing behind it to make that true.
Something That Knows When It's Expired
#[type]
ShareLink: {
ms expires: 0
fn valid() -> bool {
Time.now() < self.expires
}
}
#[main]
fn main() {
const link = new ShareLink { expires: Time.now() + 1hr };
pln(link.valid());
const expired = new ShareLink { expires: Time.now() - 1hr };
pln(expired.valid());
}The Full Link
Wrap a passphrase-encrypted payload around that same expiry check — open() refuses to even attempt decryption once the link is stale:
in a real scenario, you'd want to use public/private key pairs (Age has these too), and keep an expiration as a separate validation step.
#[type]
ShareLink: {
ms expires: 0
payload: null
fn valid() -> bool {
Time.now() < self.expires
}
fn open(passphrase: str) -> obj {
if (!self.valid()) return null;
const decrypted = new {};
Age.pass_parse(passphrase, self.payload, decrypted, 'bstf');
decrypted
}
}
#[main]
fn main() {
const secret = new { file: "quarterly-report.pdf" };
const payload = Age.pass_blobify("open-sesame", 'bstf', secret);
const link = new ShareLink { expires: Time.now() + 1hr, payload: payload };
pln(link.open("open-sesame").file);
const stale = new ShareLink { expires: Time.now() - 1hr, payload: payload };
pln(stale.open("open-sesame"));
}link and stale carry the exact same encrypted payload — the only difference is a timestamp. One opens, the other refuses before it ever touches the passphrase. Nothing here is a special "auth" feature; it's the same fields, functions, and encryption from Types & Units and the Age library, arranged around one small rule.