From 89b1723d35c0148860bdca4f28074c1ffd3e0f89 Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Mon, 22 Jul 2024 20:45:13 +0200
Subject: [PATCH] [FEAT] Enable `INVALIDATE_REFRESH_TOKENS`

- It's possible to detect if refresh tokens are used more than once, if
it's used more than it's a indication of a replay attack and it should
invalidate the associated access token. This behavior is controlled by
the `INVALIDATE_REFRESH_TOKENS` setting.
- Altough in a normal scenario where TLS is being used, it should be
very hard to get to situation where replay attacks are being used, but
this is better safe than sorry.
- Enable `INVALIDATE_REFRESH_TOKENS` by default.
---
 modules/setting/oauth2.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/setting/oauth2.go b/modules/setting/oauth2.go
index 76820adff0..86617f7513 100644
--- a/modules/setting/oauth2.go
+++ b/modules/setting/oauth2.go
@@ -104,7 +104,7 @@ var OAuth2 = struct {
 	Enabled:                    true,
 	AccessTokenExpirationTime:  3600,
 	RefreshTokenExpirationTime: 730,
-	InvalidateRefreshTokens:    false,
+	InvalidateRefreshTokens:    true,
 	JWTSigningAlgorithm:        "RS256",
 	JWTSigningPrivateKeyFile:   "jwt/private.pem",
 	MaxTokenLength:             math.MaxInt16,