This repository was archived by the owner on Jul 13, 2023. It is now read-only.
This repository was archived by the owner on Jul 13, 2023. It is now read-only.
Tokens in redirect URL need to be of short lifetime #4
Description
Currently all tokens generated have a single configuration option for Expiration. If this is set to a high interval, it is possible to re-use a URL based token redirect and re-initiate a logged-out session.
Instead, redirected tokens should have a short expiration time. Refreshed tokens usually live in a client session, header or cookie and can have a longer interval. Therefore consumers will need to refresh their token upon the first opportunity after redirect.
The following things need a bit of refactoring:
- The
authReplymethod should accept atime.Timeinstead of looking to the server config. AuthenticatePwUserandRefreshJWTgRPC methods should accept a time stamp, so the consumer decides the requirements.- Adjust the admin login form to use short timeouts.