auth
125:dcd2125c4f57 Browse Files
Remove refresh token expiration, update implicit token. Refresh tokens no longer expire, because they're supposed to be long-lived, and we have no way to communicate to the user exactly how long-lived they are. Instead, they are invalidated after a single use, which should prevent too much abuse. It gives them an effective lifespan of "default token expiration, or until used", which I think is Good Enough. Also updated our implicit token to set the CreatedFrom to "implicit" and the ClientID to the client ID, which is important, I guess. It's really annoying that we have that logic in two different places.
oauth2.go token.go token_test.go
1.1 --- a/oauth2.go Sun Jan 18 05:03:17 2015 -0500 1.2 +++ b/oauth2.go Sun Jan 18 05:08:18 2015 -0500 1.3 @@ -303,11 +303,12 @@ 1.4 token := Token{ 1.5 AccessToken: uuid.NewID().String(), 1.6 Created: time.Now(), 1.7 - CreatedFrom: "", 1.8 + CreatedFrom: "implicit", 1.9 ExpiresIn: defaultTokenExpiration, 1.10 TokenType: "bearer", 1.11 Scope: scope, 1.12 ProfileID: session.ProfileID, 1.13 + ClientID: clientID, 1.14 } 1.15 err := context.SaveToken(token) 1.16 if err != nil { 1.17 @@ -377,16 +378,15 @@ 1.18 refresh = uuid.NewID().String() 1.19 } 1.20 token := Token{ 1.21 - AccessToken: uuid.NewID().String(), 1.22 - RefreshToken: refresh, 1.23 - Created: time.Now(), 1.24 - CreatedFrom: gt.AuditString(r), 1.25 - ExpiresIn: defaultTokenExpiration, 1.26 - RefreshExpiresIn: defaultRefreshTokenExpiration, 1.27 - TokenType: "bearer", 1.28 - Scope: scope, 1.29 - ProfileID: profileID, 1.30 - ClientID: clientID, 1.31 + AccessToken: uuid.NewID().String(), 1.32 + RefreshToken: refresh, 1.33 + Created: time.Now(), 1.34 + CreatedFrom: gt.AuditString(r), 1.35 + ExpiresIn: defaultTokenExpiration, 1.36 + TokenType: "bearer", 1.37 + Scope: scope, 1.38 + ProfileID: profileID, 1.39 + ClientID: clientID, 1.40 } 1.41 err := context.SaveToken(token) 1.42 if err != nil {
2.1 --- a/token.go Sun Jan 18 05:03:17 2015 -0500 2.2 +++ b/token.go Sun Jan 18 05:08:18 2015 -0500 2.3 @@ -11,8 +11,7 @@ 2.4 ) 2.5 2.6 const ( 2.7 - defaultTokenExpiration = 3600 // one hour 2.8 - defaultRefreshTokenExpiration = 86400 // one day 2.9 + defaultTokenExpiration = 3600 // one hour 2.10 ) 2.11 2.12 func init() { 2.13 @@ -38,18 +37,17 @@ 2.14 // Token represents an access and/or refresh token that the Client can use to access user data 2.15 // or obtain a new access token. 2.16 type Token struct { 2.17 - AccessToken string 2.18 - RefreshToken string 2.19 - Created time.Time 2.20 - CreatedFrom string 2.21 - ExpiresIn int32 2.22 - RefreshExpiresIn int32 2.23 - TokenType string 2.24 - Scope string 2.25 - ProfileID uuid.ID 2.26 - ClientID uuid.ID 2.27 - Revoked bool 2.28 - RefreshRevoked bool 2.29 + AccessToken string 2.30 + RefreshToken string 2.31 + Created time.Time 2.32 + CreatedFrom string 2.33 + ExpiresIn int32 2.34 + TokenType string 2.35 + Scope string 2.36 + ProfileID uuid.ID 2.37 + ClientID uuid.ID 2.38 + Revoked bool 2.39 + RefreshRevoked bool 2.40 } 2.41 2.42 type tokenStore interface { 2.43 @@ -200,12 +198,6 @@ 2.44 renderJSONError(enc, "invalid_grant") 2.45 return 2.46 } 2.47 - expires := token.Created.Add(time.Duration(token.RefreshExpiresIn) * time.Second) 2.48 - if expires.Before(time.Now()) { 2.49 - w.WriteHeader(http.StatusBadRequest) 2.50 - renderJSONError(enc, "invalid_grant") 2.51 - return 2.52 - } 2.53 return token.Scope, token.ProfileID, true 2.54 } 2.55
3.1 --- a/token_test.go Sun Jan 18 05:03:17 2015 -0500 3.2 +++ b/token_test.go Sun Jan 18 05:08:18 2015 -0500 3.3 @@ -25,9 +25,6 @@ 3.4 if token1.ExpiresIn != token2.ExpiresIn { 3.5 return false, "expires in", token1.ExpiresIn, token2.ExpiresIn 3.6 } 3.7 - if token1.RefreshExpiresIn != token2.RefreshExpiresIn { 3.8 - return false, "refresh expires in", token1.RefreshExpiresIn, token2.RefreshExpiresIn 3.9 - } 3.10 if token1.TokenType != token2.TokenType { 3.11 return false, "token type", token1.TokenType, token2.TokenType 3.12 }