fedi/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-08 08:04:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

[FEAT] Enable INVALIDATE_REFRESH_TOKENS

Browse source 
- It's possible to detect if refresh tokens are used more than once, if
it's used more than it's a indication of a replay attack and it should
invalidate the associated access token. This behavior is controlled by
the `INVALIDATE_REFRESH_TOKENS` setting.
- Altough in a normal scenario where TLS is being used, it should be
very hard to get to situation where replay attacks are being used, but
this is better safe than sorry.
- Enable `INVALIDATE_REFRESH_TOKENS` by default.
This commit is contained in:
Gusted 2024-07-22 20:45:13 +02:00
parent de24846309
commit 89b1723d35
No known key found for this signature in database
GPG key ID: FD821B732837125F
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
modules/setting/oauth2.go
View file

@ -104,7 +104,7 @@ var OAuth2 = struct {
Enabled: true, Enabled: true,
AccessTokenExpirationTime: 3600, AccessTokenExpirationTime: 3600,
RefreshTokenExpirationTime: 730, RefreshTokenExpirationTime: 730,
InvalidateRefreshTokens: false, InvalidateRefreshTokens: true,
JWTSigningAlgorithm: "RS256", JWTSigningAlgorithm: "RS256",
JWTSigningPrivateKeyFile: "jwt/private.pem", JWTSigningPrivateKeyFile: "jwt/private.pem",
MaxTokenLength: math.MaxInt16, MaxTokenLength: math.MaxInt16,