mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-01 16:38:37 +00:00
[FEAT] Enable INVALIDATE_REFRESH_TOKENS
- It's possible to detect if refresh tokens are used more than once, if it's used more than it's a indication of a replay attack and it should invalidate the associated access token. This behavior is controlled by the `INVALIDATE_REFRESH_TOKENS` setting. - Altough in a normal scenario where TLS is being used, it should be very hard to get to situation where replay attacks are being used, but this is better safe than sorry. - Enable `INVALIDATE_REFRESH_TOKENS` by default.
This commit is contained in:
parent
de24846309
commit
89b1723d35
|
@ -104,7 +104,7 @@ var OAuth2 = struct {
|
||||||
Enabled: true,
|
Enabled: true,
|
||||||
AccessTokenExpirationTime: 3600,
|
AccessTokenExpirationTime: 3600,
|
||||||
RefreshTokenExpirationTime: 730,
|
RefreshTokenExpirationTime: 730,
|
||||||
InvalidateRefreshTokens: false,
|
InvalidateRefreshTokens: true,
|
||||||
JWTSigningAlgorithm: "RS256",
|
JWTSigningAlgorithm: "RS256",
|
||||||
JWTSigningPrivateKeyFile: "jwt/private.pem",
|
JWTSigningPrivateKeyFile: "jwt/private.pem",
|
||||||
MaxTokenLength: math.MaxInt16,
|
MaxTokenLength: math.MaxInt16,
|
||||||
|
|
Loading…
Reference in a new issue