From 89b1723d35c0148860bdca4f28074c1ffd3e0f89 Mon Sep 17 00:00:00 2001 From: Gusted Date: Mon, 22 Jul 2024 20:45:13 +0200 Subject: [PATCH] [FEAT] Enable `INVALIDATE_REFRESH_TOKENS` - It's possible to detect if refresh tokens are used more than once, if it's used more than it's a indication of a replay attack and it should invalidate the associated access token. This behavior is controlled by the `INVALIDATE_REFRESH_TOKENS` setting. - Altough in a normal scenario where TLS is being used, it should be very hard to get to situation where replay attacks are being used, but this is better safe than sorry. - Enable `INVALIDATE_REFRESH_TOKENS` by default. --- modules/setting/oauth2.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/setting/oauth2.go b/modules/setting/oauth2.go index 76820adff..86617f751 100644 --- a/modules/setting/oauth2.go +++ b/modules/setting/oauth2.go @@ -104,7 +104,7 @@ var OAuth2 = struct { Enabled: true, AccessTokenExpirationTime: 3600, RefreshTokenExpirationTime: 730, - InvalidateRefreshTokens: false, + InvalidateRefreshTokens: true, JWTSigningAlgorithm: "RS256", JWTSigningPrivateKeyFile: "jwt/private.pem", MaxTokenLength: math.MaxInt16,