Rename unstable access_token_lifetime configuration option to refreshable_access_token_lifetime to make it clear it only concerns refreshable access tokens. (#11388)

This commit is contained in:
reivilibre 2021-11-23 17:01:34 +00:00 committed by GitHub
parent 55669bd3de
commit f25c75d376
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 36 additions and 16 deletions

1
changelog.d/11388.misc Normal file
View File

@ -0,0 +1 @@
Rename unstable `access_token_lifetime` configuration option to `refreshable_access_token_lifetime` to make it clear it only concerns refreshable access tokens.

View File

@ -112,25 +112,32 @@ class RegistrationConfig(Config):
session_lifetime = self.parse_duration(session_lifetime) session_lifetime = self.parse_duration(session_lifetime)
self.session_lifetime = session_lifetime self.session_lifetime = session_lifetime
# The `access_token_lifetime` applies for tokens that can be renewed # The `refreshable_access_token_lifetime` applies for tokens that can be renewed
# using a refresh token, as per MSC2918. If it is `None`, the refresh # using a refresh token, as per MSC2918. If it is `None`, the refresh
# token mechanism is disabled. # token mechanism is disabled.
# #
# Since it is incompatible with the `session_lifetime` mechanism, it is set to # Since it is incompatible with the `session_lifetime` mechanism, it is set to
# `None` by default if a `session_lifetime` is set. # `None` by default if a `session_lifetime` is set.
access_token_lifetime = config.get( refreshable_access_token_lifetime = config.get(
"access_token_lifetime", "5m" if session_lifetime is None else None "refreshable_access_token_lifetime",
"5m" if session_lifetime is None else None,
) )
if access_token_lifetime is not None: if refreshable_access_token_lifetime is not None:
access_token_lifetime = self.parse_duration(access_token_lifetime) refreshable_access_token_lifetime = self.parse_duration(
self.access_token_lifetime = access_token_lifetime refreshable_access_token_lifetime
)
self.refreshable_access_token_lifetime = refreshable_access_token_lifetime
if session_lifetime is not None and access_token_lifetime is not None: if (
session_lifetime is not None
and refreshable_access_token_lifetime is not None
):
raise ConfigError( raise ConfigError(
"The refresh token mechanism is incompatible with the " "The refresh token mechanism is incompatible with the "
"`session_lifetime` option. Consider disabling the " "`session_lifetime` option. Consider disabling the "
"`session_lifetime` option or disabling the refresh token " "`session_lifetime` option or disabling the refresh token "
"mechanism by removing the `access_token_lifetime` option." "mechanism by removing the `refreshable_access_token_lifetime` "
"option."
) )
# The fallback template used for authenticating using a registration token # The fallback template used for authenticating using a registration token

View File

@ -116,7 +116,9 @@ class RegistrationHandler:
self.pusher_pool = hs.get_pusherpool() self.pusher_pool = hs.get_pusherpool()
self.session_lifetime = hs.config.registration.session_lifetime self.session_lifetime = hs.config.registration.session_lifetime
self.access_token_lifetime = hs.config.registration.access_token_lifetime self.refreshable_access_token_lifetime = (
hs.config.registration.refreshable_access_token_lifetime
)
init_counters_for_auth_provider("") init_counters_for_auth_provider("")
@ -817,7 +819,9 @@ class RegistrationHandler:
user_id, user_id,
device_id=registered_device_id, device_id=registered_device_id,
) )
valid_until_ms = self.clock.time_msec() + self.access_token_lifetime valid_until_ms = (
self.clock.time_msec() + self.refreshable_access_token_lifetime
)
access_token = await self._auth_handler.create_access_token_for_user_id( access_token = await self._auth_handler.create_access_token_for_user_id(
user_id, user_id,

View File

@ -81,7 +81,9 @@ class LoginRestServlet(RestServlet):
self.saml2_enabled = hs.config.saml2.saml2_enabled self.saml2_enabled = hs.config.saml2.saml2_enabled
self.cas_enabled = hs.config.cas.cas_enabled self.cas_enabled = hs.config.cas.cas_enabled
self.oidc_enabled = hs.config.oidc.oidc_enabled self.oidc_enabled = hs.config.oidc.oidc_enabled
self._msc2918_enabled = hs.config.registration.access_token_lifetime is not None self._msc2918_enabled = (
hs.config.registration.refreshable_access_token_lifetime is not None
)
self.auth = hs.get_auth() self.auth = hs.get_auth()
@ -453,7 +455,9 @@ class RefreshTokenServlet(RestServlet):
def __init__(self, hs: "HomeServer"): def __init__(self, hs: "HomeServer"):
self._auth_handler = hs.get_auth_handler() self._auth_handler = hs.get_auth_handler()
self._clock = hs.get_clock() self._clock = hs.get_clock()
self.access_token_lifetime = hs.config.registration.access_token_lifetime self.refreshable_access_token_lifetime = (
hs.config.registration.refreshable_access_token_lifetime
)
async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]: async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
refresh_submission = parse_json_object_from_request(request) refresh_submission = parse_json_object_from_request(request)
@ -463,7 +467,9 @@ class RefreshTokenServlet(RestServlet):
if not isinstance(token, str): if not isinstance(token, str):
raise SynapseError(400, "Invalid param: refresh_token", Codes.INVALID_PARAM) raise SynapseError(400, "Invalid param: refresh_token", Codes.INVALID_PARAM)
valid_until_ms = self._clock.time_msec() + self.access_token_lifetime valid_until_ms = (
self._clock.time_msec() + self.refreshable_access_token_lifetime
)
access_token, refresh_token = await self._auth_handler.refresh_token( access_token, refresh_token = await self._auth_handler.refresh_token(
token, valid_until_ms token, valid_until_ms
) )
@ -562,7 +568,7 @@ class CasTicketServlet(RestServlet):
def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None: def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
LoginRestServlet(hs).register(http_server) LoginRestServlet(hs).register(http_server)
if hs.config.registration.access_token_lifetime is not None: if hs.config.registration.refreshable_access_token_lifetime is not None:
RefreshTokenServlet(hs).register(http_server) RefreshTokenServlet(hs).register(http_server)
SsoRedirectServlet(hs).register(http_server) SsoRedirectServlet(hs).register(http_server)
if hs.config.cas.cas_enabled: if hs.config.cas.cas_enabled:

View File

@ -420,7 +420,9 @@ class RegisterRestServlet(RestServlet):
self.password_policy_handler = hs.get_password_policy_handler() self.password_policy_handler = hs.get_password_policy_handler()
self.clock = hs.get_clock() self.clock = hs.get_clock()
self._registration_enabled = self.hs.config.registration.enable_registration self._registration_enabled = self.hs.config.registration.enable_registration
self._msc2918_enabled = hs.config.registration.access_token_lifetime is not None self._msc2918_enabled = (
hs.config.registration.refreshable_access_token_lifetime is not None
)
self._registration_flows = _calculate_registration_flows( self._registration_flows = _calculate_registration_flows(
hs.config, self.auth_handler hs.config, self.auth_handler

View File

@ -598,7 +598,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
refresh_response.json_body["refresh_token"], refresh_response.json_body["refresh_token"],
) )
@override_config({"access_token_lifetime": "1m"}) @override_config({"refreshable_access_token_lifetime": "1m"})
def test_refresh_token_expiration(self): def test_refresh_token_expiration(self):
""" """
The access token should have some time as specified in the config. The access token should have some time as specified in the config.