Skip to content

Align Account JetStream defaults with nats-io/jwt #245

Open
Open
Align Account JetStream defaults with nats-io/jwt#245
Labels
postponed

Description

@choufraise
choufraise
opened on Apr 24, 2026

Summary

Today, NAuth defaults all Account JetStreamLimits fields to -1 when they are not explicitly set in the Account CRD.

That means NAuth currently defaults JetStream to effectively enabled / unlimited for Accounts.

nats-io/jwt does not behave that way. jwt.NewAccountClaims(...) defaults JetStream limits to 0, which means JetStream is disabled unless storage is explicitly allowed.

NAuth should align its default Account behavior with the real defaults from nats-io/jwt.

Current Behavior In NAuth

When an Account is created without explicit jetStreamLimits, NAuth currently builds JWT claims with JetStream limits defaulted to -1.

In practice, that means:

  • memStorage = -1
  • diskStorage = -1
  • streams = -1
  • consumer = -1
  • and related JetStream limit fields are treated as unlimited

So, today, NAuth defaults JetStream to enabled on Accounts.

Upstream Behavior

nats-io/jwt behaves differently.

jwt.NewAccountClaims(...) initializes JetStream limits to zero-values, and those defaults mean:

  • JetStream disabled
  • not unlimited

In particular, MemoryStorage=0 and DiskStorage=0 do not mean "unlimited"; they mean JetStream is not enabled for the Account.

See nats-io/jwt#249.

Problem

NAuth currently projects a default Account behavior that does not match the upstream JWT library semantics.

This causes confusion because:

  • NAuth-created Accounts get JetStream by default even when the user did not ask for it
  • claim conversion and observed status can suggest semantics that differ from upstream defaults
  • the default business behavior in NAuth diverges from the default business behavior in nats-io/jwt

Desired Behavior

NAuth should stop defaulting Account JetStream limits to unlimited.

Instead, when no explicit JetStream configuration is provided, NAuth should align with nats-io/jwt defaults:

  • default JetStream limits should remain at the JWT library defaults
  • that means JetStream is disabled by default
  • enabling JetStream should require explicit intent in NAuth

Impact

This will be a breaking business-logic change.

It is not mainly a CRD schema break. Existing manifests may still deserialize, but the effective behavior of Accounts would change:

  • today: JetStream is implicitly enabled by default
  • desired future behavior: JetStream is disabled by default unless explicitly enabled

Users relying on the current implicit JetStream enablement would need to update their Account specs.

Acceptance Criteria

  • NAuth no longer defaults unset Account JetStream limits to -1
  • default Account JetStream behavior matches jwt.NewAccountClaims(...)
  • Accounts without explicit JetStream configuration no longer get JetStream implicitly enabled
  • tests and examples reflect the new explicit behavior
  • release notes clearly call out the breaking business-logic change

Reference

  • nats-io/jwt#249

Metadata

Metadata

Assignees

No one assigned

    Labels

    postponed

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions