Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Rename unstable access_token_lifetime configuration option to refreshable_access_token_lifetime to make it clear it only concerns refreshable access tokens. #11388

Merged
merged 5 commits into from
Nov 23, 2021
Merged

Rename unstable access_token_lifetime configuration option to refreshable_access_token_lifetime to make it clear it only concerns refreshable access tokens. #11388

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
dfda966
Rename access_token_lifetime option to make it clear it's about refre…
reivilibre Nov 18, 2021
e91866b
Newsfile
reivilibre Nov 18, 2021
612c173
Don't forget to update the test that sets the config option :)
reivilibre Nov 18, 2021
5db51e1
Also rename in RegistrationHandler
reivilibre Nov 23, 2021
6f1016a
Also rename in RefreshTokenServlet
reivilibre Nov 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/11388.misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Rename unstable `access_token_lifetime` configuration option to `refreshable_access_token_lifetime` to make it clear it only concerns refreshable access tokens.
23 changes: 15 additions & 8 deletions synapse/config/registration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,25 +114,32 @@ def read_config(self, config, **kwargs):
session_lifetime = self.parse_duration(session_lifetime)
self.session_lifetime = session_lifetime

# The `access_token_lifetime` applies for tokens that can be renewed
# The `refreshable_access_token_lifetime` applies for tokens that can be renewed
# using a refresh token, as per MSC2918. If it is `None`, the refresh
# token mechanism is disabled.
#
# Since it is incompatible with the `session_lifetime` mechanism, it is set to
# `None` by default if a `session_lifetime` is set.
access_token_lifetime = config.get(
"access_token_lifetime", "5m" if session_lifetime is None else None
refreshable_access_token_lifetime = config.get(
"refreshable_access_token_lifetime",
"5m" if session_lifetime is None else None,
)
if access_token_lifetime is not None:
access_token_lifetime = self.parse_duration(access_token_lifetime)
self.access_token_lifetime = access_token_lifetime
if refreshable_access_token_lifetime is not None:
refreshable_access_token_lifetime = self.parse_duration(
refreshable_access_token_lifetime
)
self.refreshable_access_token_lifetime = refreshable_access_token_lifetime

if session_lifetime is not None and access_token_lifetime is not None:
if (
session_lifetime is not None
and refreshable_access_token_lifetime is not None
):
raise ConfigError(
"The refresh token mechanism is incompatible with the "
"`session_lifetime` option. Consider disabling the "
"`session_lifetime` option or disabling the refresh token "
"mechanism by removing the `access_token_lifetime` option."
"mechanism by removing the `refreshable_access_token_lifetime` "
"option."
)

# The fallback template used for authenticating using a registration token
Expand Down
8 changes: 6 additions & 2 deletions synapse/handlers/register.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,9 @@ def __init__(self, hs: "HomeServer"):
self.pusher_pool = hs.get_pusherpool()

self.session_lifetime = hs.config.registration.session_lifetime
self.access_token_lifetime = hs.config.registration.access_token_lifetime
self.refreshable_access_token_lifetime = (
hs.config.registration.refreshable_access_token_lifetime
)

init_counters_for_auth_provider("")

Expand Down Expand Up @@ -817,7 +819,9 @@ class and RegisterDeviceReplicationServlet.
user_id,
device_id=registered_device_id,
)
valid_until_ms = self.clock.time_msec() + self.access_token_lifetime
valid_until_ms = (
self.clock.time_msec() + self.refreshable_access_token_lifetime
)

access_token = await self._auth_handler.create_access_token_for_user_id(
user_id,
Expand Down
14 changes: 10 additions & 4 deletions synapse/rest/client/login.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,9 @@ def __init__(self, hs: "HomeServer"):
self.saml2_enabled = hs.config.saml2.saml2_enabled
self.cas_enabled = hs.config.cas.cas_enabled
self.oidc_enabled = hs.config.oidc.oidc_enabled
self._msc2918_enabled = hs.config.registration.access_token_lifetime is not None
self._msc2918_enabled = (
hs.config.registration.refreshable_access_token_lifetime is not None
)

self.auth = hs.get_auth()

Expand Down Expand Up @@ -452,7 +454,9 @@ class RefreshTokenServlet(RestServlet):
def __init__(self, hs: "HomeServer"):
self._auth_handler = hs.get_auth_handler()
self._clock = hs.get_clock()
self.access_token_lifetime = hs.config.registration.access_token_lifetime
self.refreshable_access_token_lifetime = (
hs.config.registration.refreshable_access_token_lifetime
)

async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
refresh_submission = parse_json_object_from_request(request)
Expand All @@ -462,7 +466,9 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
if not isinstance(token, str):
raise SynapseError(400, "Invalid param: refresh_token", Codes.INVALID_PARAM)

valid_until_ms = self._clock.time_msec() + self.access_token_lifetime
valid_until_ms = (
self._clock.time_msec() + self.refreshable_access_token_lifetime
)
access_token, refresh_token = await self._auth_handler.refresh_token(
token, valid_until_ms
)
Expand Down Expand Up @@ -561,7 +567,7 @@ async def on_GET(self, request: SynapseRequest) -> None:

def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
LoginRestServlet(hs).register(http_server)
if hs.config.registration.access_token_lifetime is not None:
if hs.config.registration.refreshable_access_token_lifetime is not None:
RefreshTokenServlet(hs).register(http_server)
SsoRedirectServlet(hs).register(http_server)
if hs.config.cas.cas_enabled:
Expand Down
4 changes: 3 additions & 1 deletion synapse/rest/client/register.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -420,7 +420,9 @@ def __init__(self, hs: "HomeServer"):
self.password_policy_handler = hs.get_password_policy_handler()
self.clock = hs.get_clock()
self._registration_enabled = self.hs.config.registration.enable_registration
self._msc2918_enabled = hs.config.registration.access_token_lifetime is not None
self._msc2918_enabled = (
hs.config.registration.refreshable_access_token_lifetime is not None
)

self._registration_flows = _calculate_registration_flows(
hs.config, self.auth_handler
Expand Down
2 changes: 1 addition & 1 deletion tests/rest/client/test_auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -598,7 +598,7 @@ def test_token_refresh(self):
refresh_response.json_body["refresh_token"],
)

@override_config({"access_token_lifetime": "1m"})
@override_config({"refreshable_access_token_lifetime": "1m"})
def test_refresh_token_expiration(self):
"""
The access token should have some time as specified in the config.
Expand Down