Add option to disable refresh token invalidation (#6584) (#6587)

* Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software> (cherry picked from commit 783cd64927) Signed-off-by: Jonas Franz <info@jonasfranz.software>
2025-11-04 08:30:25 +08:00 · 2019-04-12 12:42:44 +02:00
parent 5be1b7df3f
commit 72f4cdf868
6 changed files with 57 additions and 11 deletions
--- a/custom/conf/app.ini.sample
+++ b/custom/conf/app.ini.sample
@@ -661,6 +661,8 @@ ENABLED = true
 ACCESS_TOKEN_EXPIRATION_TIME=3600
 ; Lifetime of an OAuth2 access token in hours
 REFRESH_TOKEN_EXPIRATION_TIME=730
 ; Check if refresh token got already used
 INVALIDATE_REFRESH_TOKENS=false
 ; OAuth2 authentication secret for access and refresh tokens, change this a unique string.
 JWT_SECRET=Bk0yK7Y9g_p56v86KaHqjSbxvNvu3SbKoOdOt2ZcXvU
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -350,6 +350,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `ENABLED`: **true**: Enables OAuth2 provider.
 - `ACCESS_TOKEN_EXPIRATION_TIME`: **3600**: Lifetime of an OAuth2 access token in seconds
 - `REFRESH_TOKEN_EXPIRATION_TIME`: **730**: Lifetime of an OAuth2 access token in hours
 - `INVALIDATE_REFRESH_TOKEN`: **false**: Check if refresh token got already used
 - `JWT_SECRET`: **\<empty\>**: OAuth2 authentication secret for access and refresh tokens, change this a unique string.
 ## i18n (`i18n`)
--- a/integrations/oauth_test.go
+++ b/integrations/oauth_test.go
@@ -8,6 +8,8 @@ import (
 	"encoding/json"
 	"testing"
 	"code.gitea.io/gitea/modules/setting"
 	"github.com/stretchr/testify/assert"
 )
@@ -177,3 +179,42 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) {
 	})
 	resp = MakeRequest(t, req, 400)
 }
 func TestRefreshTokenInvalidation(t *testing.T) {
 	prepareTestEnv(t)
 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
 		"grant_type":    "authorization_code",
 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
 		"redirect_uri":  "a",
 		"code":          "authcode",
 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
 	})
 	resp := MakeRequest(t, req, 200)
 	type response struct {
 		AccessToken  string `json:"access_token"`
 		TokenType    string `json:"token_type"`
 		ExpiresIn    int64  `json:"expires_in"`
 		RefreshToken string `json:"refresh_token"`
 	}
 	parsed := new(response)
 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
 	// test without invalidation
 	setting.OAuth2.InvalidateRefreshTokens = false
 	refreshReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
 		"grant_type":    "refresh_token",
 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
 		"redirect_uri":  "a",
 		"refresh_token": parsed.RefreshToken,
 	})
 	MakeRequest(t, refreshReq, 200)
 	MakeRequest(t, refreshReq, 200)
 	// test with invalidation
 	setting.OAuth2.InvalidateRefreshTokens = true
 	MakeRequest(t, refreshReq, 200)
 	MakeRequest(t, refreshReq, 400)
 }
--- a/modules/auth/user_form.go
+++ b/modules/auth/user_form.go
@@ -172,7 +172,6 @@ type AccessTokenForm struct {
 	ClientID     string
 	ClientSecret string
 	RedirectURI  string
 	// TODO Specify authentication code length to prevent against birthday attacks
 	Code         string
 	RefreshToken string
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -299,12 +299,14 @@ var (
 		Enable                     bool
 		AccessTokenExpirationTime  int64
 		RefreshTokenExpirationTime int64
 		InvalidateRefreshTokens    bool
 		JWTSecretBytes             []byte `ini:"-"`
 		JWTSecretBase64            string `ini:"JWT_SECRET"`
 	}{
 		Enable:                     true,
 		AccessTokenExpirationTime:  3600,
 		RefreshTokenExpirationTime: 730,
 		InvalidateRefreshTokens:    false,
 	}
 	U2F = struct {
--- a/routers/user/oauth.go
+++ b/routers/user/oauth.go
@@ -102,18 +102,19 @@ const (
 // AccessTokenResponse represents a successful access token response
 type AccessTokenResponse struct {
-	AccessToken string    `json:"access_token"`
+	AccessToken  string    `json:"access_token"`
-	TokenType   TokenType `json:"token_type"`
+	TokenType    TokenType `json:"token_type"`
-	ExpiresIn   int64     `json:"expires_in"`
+	ExpiresIn    int64     `json:"expires_in"`
-	// TODO implement RefreshToken
+	RefreshToken string    `json:"refresh_token"`
 	RefreshToken string `json:"refresh_token"`
 }
 func newAccessTokenResponse(grant *models.OAuth2Grant) (*AccessTokenResponse, *AccessTokenError) {
-	if err := grant.IncreaseCounter(); err != nil {
+	if setting.OAuth2.InvalidateRefreshTokens {
-		return nil, &AccessTokenError{
+		if err := grant.IncreaseCounter(); err != nil {
-			ErrorCode:        AccessTokenErrorCodeInvalidGrant,
+			return nil, &AccessTokenError{
-			ErrorDescription: "cannot increase the grant counter",
+				ErrorCode:        AccessTokenErrorCodeInvalidGrant,
 				ErrorDescription: "cannot increase the grant counter",
 			}
 		}
 	}
 	// generate access token to access the API
@@ -366,7 +367,7 @@ func handleRefreshToken(ctx *context.Context, form auth.AccessTokenForm) {
 	}
 	// check if token got already used
-	if grant.Counter != token.Counter || token.Counter == 0 {
+	if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) {
 		handleAccessTokenError(ctx, AccessTokenError{
 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
 			ErrorDescription: "token was already used",