auth

Paddy 2015-01-18 Parent:d14f0a81498c Child:b714af0578dc

125:dcd2125c4f57 Go to Latest

auth/token.go

Remove refresh token expiration, update implicit token. Refresh tokens no longer expire, because they're supposed to be long-lived, and we have no way to communicate to the user exactly how long-lived they are. Instead, they are invalidated after a single use, which should prevent too much abuse. It gives them an effective lifespan of "default token expiration, or until used", which I think is Good Enough. Also updated our implicit token to set the CreatedFrom to "implicit" and the ClientID to the client ID, which is important, I guess. It's really annoying that we have that logic in two different places.

Download raw file
View source Diff to previous Annotate
History 
     1.1 --- a/token.go	Sun Jan 18 05:03:17 2015 -0500
     1.2 +++ b/token.go	Sun Jan 18 05:08:18 2015 -0500
     1.3 @@ -11,8 +11,7 @@
     1.4  )
     1.5  
     1.6  const (
     1.7 -	defaultTokenExpiration        = 3600  // one hour
     1.8 -	defaultRefreshTokenExpiration = 86400 // one day
     1.9 +	defaultTokenExpiration = 3600 // one hour
    1.10  )
    1.11  
    1.12  func init() {
    1.13 @@ -38,18 +37,17 @@
    1.14  // Token represents an access and/or refresh token that the Client can use to access user data
    1.15  // or obtain a new access token.
    1.16  type Token struct {
    1.17 -	AccessToken      string
    1.18 -	RefreshToken     string
    1.19 -	Created          time.Time
    1.20 -	CreatedFrom      string
    1.21 -	ExpiresIn        int32
    1.22 -	RefreshExpiresIn int32
    1.23 -	TokenType        string
    1.24 -	Scope            string
    1.25 -	ProfileID        uuid.ID
    1.26 -	ClientID         uuid.ID
    1.27 -	Revoked          bool
    1.28 -	RefreshRevoked   bool
    1.29 +	AccessToken    string
    1.30 +	RefreshToken   string
    1.31 +	Created        time.Time
    1.32 +	CreatedFrom    string
    1.33 +	ExpiresIn      int32
    1.34 +	TokenType      string
    1.35 +	Scope          string
    1.36 +	ProfileID      uuid.ID
    1.37 +	ClientID       uuid.ID
    1.38 +	Revoked        bool
    1.39 +	RefreshRevoked bool
    1.40  }
    1.41  
    1.42  type tokenStore interface {
    1.43 @@ -200,12 +198,6 @@
    1.44  		renderJSONError(enc, "invalid_grant")
    1.45  		return
    1.46  	}
    1.47 -	expires := token.Created.Add(time.Duration(token.RefreshExpiresIn) * time.Second)
    1.48 -	if expires.Before(time.Now()) {
    1.49 -		w.WriteHeader(http.StatusBadRequest)
    1.50 -		renderJSONError(enc, "invalid_grant")
    1.51 -		return
    1.52 -	}
    1.53  	return token.Scope, token.ProfileID, true
    1.54  }
    1.55