mirror of
https://codeberg.org/forgejo/forgejo
synced 2024-11-22 09:54:24 +01:00
[FEAT] Enable INVALIDATE_REFRESH_TOKENS
- It's possible to detect if refresh tokens are used more than once, if it's used more than it's a indication of a replay attack and it should invalidate the associated access token. This behavior is controlled by the `INVALIDATE_REFRESH_TOKENS` setting. - Altough in a normal scenario where TLS is being used, it should be very hard to get to situation where replay attacks are being used, but this is better safe than sorry. - Enable `INVALIDATE_REFRESH_TOKENS` by default.
This commit is contained in:
parent
de24846309
commit
89b1723d35
|
@ -104,7 +104,7 @@ var OAuth2 = struct {
|
|||
Enabled: true,
|
||||
AccessTokenExpirationTime: 3600,
|
||||
RefreshTokenExpirationTime: 730,
|
||||
InvalidateRefreshTokens: false,
|
||||
InvalidateRefreshTokens: true,
|
||||
JWTSigningAlgorithm: "RS256",
|
||||
JWTSigningPrivateKeyFile: "jwt/private.pem",
|
||||
MaxTokenLength: math.MaxInt16,
|
||||
|
|
Loading…
Reference in a new issue