Feature #16678
closed
Default lifetime for tokens issued through login
Added by Peter Amstutz about 4 years ago.
Updated about 4 years ago.
Release relationship:
Auto
Description
Add a configuration where tokens issued through web login have a default lifetime. An expiration time of 8 or 12 hours implements a policy where users are required to log in again each day, and limits the amount of time an attacker could make use of a stolen token. The token is prevented from manipulating other tokens (i.e. getting other tokens or creating a new token without an expiration).
Document this feature in the admin section.
- Category set to API
- Description updated (diff)
- Description updated (diff)
- Target version set to 2020-08-26 Sprint
- Description updated (diff)
- Assigned To set to Lucas Di Pentima
- Status changed from New to In Progress
Updates at 00e16fb - branch 16678-login-tokens-lifetime-config
Test run: developer-run-tests: #2026
- Sets new config knob
Login.TokenLifetime
that takes a Duration
value that will be used to set the expires_at
field on ApiClientAuthorization
resources. Its default value is zero meaning that the feature is disabled.
- Now that I see it with fresh eyes after the weekend, it may be more consistent to name it something like
Login.TokenTTL
- On tokens created from a login flow:
- Set the token expiration date if configured.
- Set the
is_trusted
flag to false
even if coming from trusted URLs (workbenches) to avoid the user to create new tokens.
- Adds rake tasks
db:check_long_lived_tokens
and db:fix_long_lived_tokens
to allow the site admin to migrate from a previous token policy (eg: unexpiring tokens) to a more strict policy wrt to preexistent tokens.
Pending: Documentation
- % Done changed from 0 to 100
- Status changed from In Progress to Resolved
Also available in: Atom
PDF