mirror of
https://github.com/element-hq/synapse.git
synced 2024-12-14 11:57:44 +00:00
Rename unstable access_token_lifetime
configuration option to refreshable_access_token_lifetime
to make it clear it only concerns refreshable access tokens. (#11388)
This commit is contained in:
parent
55669bd3de
commit
f25c75d376
6 changed files with 36 additions and 16 deletions
1
changelog.d/11388.misc
Normal file
1
changelog.d/11388.misc
Normal file
|
@ -0,0 +1 @@
|
|||
Rename unstable `access_token_lifetime` configuration option to `refreshable_access_token_lifetime` to make it clear it only concerns refreshable access tokens.
|
|
@ -112,25 +112,32 @@ class RegistrationConfig(Config):
|
|||
session_lifetime = self.parse_duration(session_lifetime)
|
||||
self.session_lifetime = session_lifetime
|
||||
|
||||
# The `access_token_lifetime` applies for tokens that can be renewed
|
||||
# The `refreshable_access_token_lifetime` applies for tokens that can be renewed
|
||||
# using a refresh token, as per MSC2918. If it is `None`, the refresh
|
||||
# token mechanism is disabled.
|
||||
#
|
||||
# Since it is incompatible with the `session_lifetime` mechanism, it is set to
|
||||
# `None` by default if a `session_lifetime` is set.
|
||||
access_token_lifetime = config.get(
|
||||
"access_token_lifetime", "5m" if session_lifetime is None else None
|
||||
refreshable_access_token_lifetime = config.get(
|
||||
"refreshable_access_token_lifetime",
|
||||
"5m" if session_lifetime is None else None,
|
||||
)
|
||||
if access_token_lifetime is not None:
|
||||
access_token_lifetime = self.parse_duration(access_token_lifetime)
|
||||
self.access_token_lifetime = access_token_lifetime
|
||||
if refreshable_access_token_lifetime is not None:
|
||||
refreshable_access_token_lifetime = self.parse_duration(
|
||||
refreshable_access_token_lifetime
|
||||
)
|
||||
self.refreshable_access_token_lifetime = refreshable_access_token_lifetime
|
||||
|
||||
if session_lifetime is not None and access_token_lifetime is not None:
|
||||
if (
|
||||
session_lifetime is not None
|
||||
and refreshable_access_token_lifetime is not None
|
||||
):
|
||||
raise ConfigError(
|
||||
"The refresh token mechanism is incompatible with the "
|
||||
"`session_lifetime` option. Consider disabling the "
|
||||
"`session_lifetime` option or disabling the refresh token "
|
||||
"mechanism by removing the `access_token_lifetime` option."
|
||||
"mechanism by removing the `refreshable_access_token_lifetime` "
|
||||
"option."
|
||||
)
|
||||
|
||||
# The fallback template used for authenticating using a registration token
|
||||
|
|
|
@ -116,7 +116,9 @@ class RegistrationHandler:
|
|||
self.pusher_pool = hs.get_pusherpool()
|
||||
|
||||
self.session_lifetime = hs.config.registration.session_lifetime
|
||||
self.access_token_lifetime = hs.config.registration.access_token_lifetime
|
||||
self.refreshable_access_token_lifetime = (
|
||||
hs.config.registration.refreshable_access_token_lifetime
|
||||
)
|
||||
|
||||
init_counters_for_auth_provider("")
|
||||
|
||||
|
@ -817,7 +819,9 @@ class RegistrationHandler:
|
|||
user_id,
|
||||
device_id=registered_device_id,
|
||||
)
|
||||
valid_until_ms = self.clock.time_msec() + self.access_token_lifetime
|
||||
valid_until_ms = (
|
||||
self.clock.time_msec() + self.refreshable_access_token_lifetime
|
||||
)
|
||||
|
||||
access_token = await self._auth_handler.create_access_token_for_user_id(
|
||||
user_id,
|
||||
|
|
|
@ -81,7 +81,9 @@ class LoginRestServlet(RestServlet):
|
|||
self.saml2_enabled = hs.config.saml2.saml2_enabled
|
||||
self.cas_enabled = hs.config.cas.cas_enabled
|
||||
self.oidc_enabled = hs.config.oidc.oidc_enabled
|
||||
self._msc2918_enabled = hs.config.registration.access_token_lifetime is not None
|
||||
self._msc2918_enabled = (
|
||||
hs.config.registration.refreshable_access_token_lifetime is not None
|
||||
)
|
||||
|
||||
self.auth = hs.get_auth()
|
||||
|
||||
|
@ -453,7 +455,9 @@ class RefreshTokenServlet(RestServlet):
|
|||
def __init__(self, hs: "HomeServer"):
|
||||
self._auth_handler = hs.get_auth_handler()
|
||||
self._clock = hs.get_clock()
|
||||
self.access_token_lifetime = hs.config.registration.access_token_lifetime
|
||||
self.refreshable_access_token_lifetime = (
|
||||
hs.config.registration.refreshable_access_token_lifetime
|
||||
)
|
||||
|
||||
async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
|
||||
refresh_submission = parse_json_object_from_request(request)
|
||||
|
@ -463,7 +467,9 @@ class RefreshTokenServlet(RestServlet):
|
|||
if not isinstance(token, str):
|
||||
raise SynapseError(400, "Invalid param: refresh_token", Codes.INVALID_PARAM)
|
||||
|
||||
valid_until_ms = self._clock.time_msec() + self.access_token_lifetime
|
||||
valid_until_ms = (
|
||||
self._clock.time_msec() + self.refreshable_access_token_lifetime
|
||||
)
|
||||
access_token, refresh_token = await self._auth_handler.refresh_token(
|
||||
token, valid_until_ms
|
||||
)
|
||||
|
@ -562,7 +568,7 @@ class CasTicketServlet(RestServlet):
|
|||
|
||||
def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
|
||||
LoginRestServlet(hs).register(http_server)
|
||||
if hs.config.registration.access_token_lifetime is not None:
|
||||
if hs.config.registration.refreshable_access_token_lifetime is not None:
|
||||
RefreshTokenServlet(hs).register(http_server)
|
||||
SsoRedirectServlet(hs).register(http_server)
|
||||
if hs.config.cas.cas_enabled:
|
||||
|
|
|
@ -420,7 +420,9 @@ class RegisterRestServlet(RestServlet):
|
|||
self.password_policy_handler = hs.get_password_policy_handler()
|
||||
self.clock = hs.get_clock()
|
||||
self._registration_enabled = self.hs.config.registration.enable_registration
|
||||
self._msc2918_enabled = hs.config.registration.access_token_lifetime is not None
|
||||
self._msc2918_enabled = (
|
||||
hs.config.registration.refreshable_access_token_lifetime is not None
|
||||
)
|
||||
|
||||
self._registration_flows = _calculate_registration_flows(
|
||||
hs.config, self.auth_handler
|
||||
|
|
|
@ -598,7 +598,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
|||
refresh_response.json_body["refresh_token"],
|
||||
)
|
||||
|
||||
@override_config({"access_token_lifetime": "1m"})
|
||||
@override_config({"refreshable_access_token_lifetime": "1m"})
|
||||
def test_refresh_token_expiration(self):
|
||||
"""
|
||||
The access token should have some time as specified in the config.
|
||||
|
|
Loading…
Reference in a new issue