Add option to disable refresh token invalidation (#6584)

* Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
2019-04-12 09:50:21 +02:00 · 2019-04-12 09:50:21 +02:00 · 783cd64927
commit 783cd64927
parent 3ff0a126e1
6 changed files with 57 additions and 11 deletions
--- a/modules/auth/user_form.go
+++ b/modules/auth/user_form.go
@ -172,7 +172,6 @@ type AccessTokenForm struct {
 	ClientID     string
 	ClientSecret string
 	RedirectURI  string
-	// TODO Specify authentication code length to prevent against birthday attacks
 	Code         string
 	RefreshToken string

--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@ -304,12 +304,14 @@ var (
 		Enable                     bool
 		AccessTokenExpirationTime  int64
 		RefreshTokenExpirationTime int64
+		InvalidateRefreshTokens    bool
 		JWTSecretBytes             []byte `ini:"-"`
 		JWTSecretBase64            string `ini:"JWT_SECRET"`
 	}{
 		Enable:                     true,
 		AccessTokenExpirationTime:  3600,
 		RefreshTokenExpirationTime: 730,
+		InvalidateRefreshTokens:    false,
 	}

 	U2F = struct {