auth
auth/oauth2.go
Remove refresh token expiration, update implicit token. Refresh tokens no longer expire, because they're supposed to be long-lived, and we have no way to communicate to the user exactly how long-lived they are. Instead, they are invalidated after a single use, which should prevent too much abuse. It gives them an effective lifespan of "default token expiration, or until used", which I think is Good Enough. Also updated our implicit token to set the CreatedFrom to "implicit" and the ClientID to the client ID, which is important, I guess. It's really annoying that we have that logic in two different places.
1.1 --- a/oauth2.go Sun Jan 18 05:03:17 2015 -0500 1.2 +++ b/oauth2.go Sun Jan 18 05:08:18 2015 -0500 1.3 @@ -303,11 +303,12 @@ 1.4 token := Token{ 1.5 AccessToken: uuid.NewID().String(), 1.6 Created: time.Now(), 1.7 - CreatedFrom: "", 1.8 + CreatedFrom: "implicit", 1.9 ExpiresIn: defaultTokenExpiration, 1.10 TokenType: "bearer", 1.11 Scope: scope, 1.12 ProfileID: session.ProfileID, 1.13 + ClientID: clientID, 1.14 } 1.15 err := context.SaveToken(token) 1.16 if err != nil { 1.17 @@ -377,16 +378,15 @@ 1.18 refresh = uuid.NewID().String() 1.19 } 1.20 token := Token{ 1.21 - AccessToken: uuid.NewID().String(), 1.22 - RefreshToken: refresh, 1.23 - Created: time.Now(), 1.24 - CreatedFrom: gt.AuditString(r), 1.25 - ExpiresIn: defaultTokenExpiration, 1.26 - RefreshExpiresIn: defaultRefreshTokenExpiration, 1.27 - TokenType: "bearer", 1.28 - Scope: scope, 1.29 - ProfileID: profileID, 1.30 - ClientID: clientID, 1.31 + AccessToken: uuid.NewID().String(), 1.32 + RefreshToken: refresh, 1.33 + Created: time.Now(), 1.34 + CreatedFrom: gt.AuditString(r), 1.35 + ExpiresIn: defaultTokenExpiration, 1.36 + TokenType: "bearer", 1.37 + Scope: scope, 1.38 + ProfileID: profileID, 1.39 + ClientID: clientID, 1.40 } 1.41 err := context.SaveToken(token) 1.42 if err != nil {