Rename unstable access_token_lifetime configuration option to `refr…

…eshable_access_token_lifetime` to make it clear it only concerns refreshable access tokens. (#11388)
matrix-org · Nov 23, 2021 · f25c75d · f25c75d
1 parent 55669bd
commit f25c75d
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 16 deletions.
diff --git a/changelog.d/11388.misc b/changelog.d/11388.misc
@@ -0,0 +1 @@
+Rename unstable `access_token_lifetime` configuration option to `refreshable_access_token_lifetime` to make it clear it only concerns refreshable access tokens.
diff --git a/synapse/config/registration.py b/synapse/config/registration.py
@@ -112,25 +112,32 @@ def read_config(self, config, **kwargs):
  session_lifetime = self.parse_duration(session_lifetime)
  self.session_lifetime = session_lifetime
 
- # The `access_token_lifetime` applies for tokens that can be renewed
+ # The `refreshable_access_token_lifetime` applies for tokens that can be renewed
  # using a refresh token, as per MSC2918. If it is `None`, the refresh
  # token mechanism is disabled.
  #
  # Since it is incompatible with the `session_lifetime` mechanism, it is set to
  # `None` by default if a `session_lifetime` is set.
- access_token_lifetime = config.get(
- "access_token_lifetime", "5m" if session_lifetime is None else None
+ refreshable_access_token_lifetime = config.get(
+ "refreshable_access_token_lifetime",
+ "5m" if session_lifetime is None else None,
  )
- if access_token_lifetime is not None:
- access_token_lifetime = self.parse_duration(access_token_lifetime)
- self.access_token_lifetime = access_token_lifetime
+ if refreshable_access_token_lifetime is not None:
+ refreshable_access_token_lifetime = self.parse_duration(
+ refreshable_access_token_lifetime
+ )
+ self.refreshable_access_token_lifetime = refreshable_access_token_lifetime
 
- if session_lifetime is not None and access_token_lifetime is not None:
+ if (
+ session_lifetime is not None
+ and refreshable_access_token_lifetime is not None
+ ):
  raise ConfigError(
  "The refresh token mechanism is incompatible with the "
  "`session_lifetime` option. Consider disabling the "
  "`session_lifetime` option or disabling the refresh token "
- "mechanism by removing the `access_token_lifetime` option."
+ "mechanism by removing the `refreshable_access_token_lifetime` "
+ "option."
  )
 
  # The fallback template used for authenticating using a registration token

diff --git a/synapse/handlers/register.py b/synapse/handlers/register.py
@@ -116,7 +116,9 @@ def __init__(self, hs: "HomeServer"):
  self.pusher_pool = hs.get_pusherpool()
 
  self.session_lifetime = hs.config.registration.session_lifetime
- self.access_token_lifetime = hs.config.registration.access_token_lifetime
+ self.refreshable_access_token_lifetime = (
+ hs.config.registration.refreshable_access_token_lifetime
+ )
 
  init_counters_for_auth_provider("")
 
@@ -817,7 +819,9 @@ class and RegisterDeviceReplicationServlet.
  user_id,
  device_id=registered_device_id,
  )
- valid_until_ms = self.clock.time_msec() + self.access_token_lifetime
+ valid_until_ms = (
+ self.clock.time_msec() + self.refreshable_access_token_lifetime
+ )
 
  access_token = await self._auth_handler.create_access_token_for_user_id(
  user_id,

diff --git a/synapse/rest/client/login.py b/synapse/rest/client/login.py
@@ -81,7 +81,9 @@ def __init__(self, hs: "HomeServer"):
  self.saml2_enabled = hs.config.saml2.saml2_enabled
  self.cas_enabled = hs.config.cas.cas_enabled
  self.oidc_enabled = hs.config.oidc.oidc_enabled
- self._msc2918_enabled = hs.config.registration.access_token_lifetime is not None
+ self._msc2918_enabled = (
+ hs.config.registration.refreshable_access_token_lifetime is not None
+ )
 
  self.auth = hs.get_auth()
 
@@ -453,7 +455,9 @@ class RefreshTokenServlet(RestServlet):
  def __init__(self, hs: "HomeServer"):
  self._auth_handler = hs.get_auth_handler()
  self._clock = hs.get_clock()
- self.access_token_lifetime = hs.config.registration.access_token_lifetime
+ self.refreshable_access_token_lifetime = (
+ hs.config.registration.refreshable_access_token_lifetime
+ )
 
  async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
  refresh_submission = parse_json_object_from_request(request)
@@ -463,7 +467,9 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
  if not isinstance(token, str):
  raise SynapseError(400, "Invalid param: refresh_token", Codes.INVALID_PARAM)
 
- valid_until_ms = self._clock.time_msec() + self.access_token_lifetime
+ valid_until_ms = (
+ self._clock.time_msec() + self.refreshable_access_token_lifetime
+ )
  access_token, refresh_token = await self._auth_handler.refresh_token(
  token, valid_until_ms
  )
@@ -562,7 +568,7 @@ async def on_GET(self, request: SynapseRequest) -> None:
 
 def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
  LoginRestServlet(hs).register(http_server)
- if hs.config.registration.access_token_lifetime is not None:
+ if hs.config.registration.refreshable_access_token_lifetime is not None:
  RefreshTokenServlet(hs).register(http_server)
  SsoRedirectServlet(hs).register(http_server)
  if hs.config.cas.cas_enabled:

diff --git a/synapse/rest/client/register.py b/synapse/rest/client/register.py
@@ -420,7 +420,9 @@ def __init__(self, hs: "HomeServer"):
  self.password_policy_handler = hs.get_password_policy_handler()
  self.clock = hs.get_clock()
  self._registration_enabled = self.hs.config.registration.enable_registration
- self._msc2918_enabled = hs.config.registration.access_token_lifetime is not None
+ self._msc2918_enabled = (
+ hs.config.registration.refreshable_access_token_lifetime is not None
+ )
 
  self._registration_flows = _calculate_registration_flows(
  hs.config, self.auth_handler

diff --git a/tests/rest/client/test_auth.py b/tests/rest/client/test_auth.py
@@ -598,7 +598,7 @@ def test_token_refresh(self):
  refresh_response.json_body["refresh_token"],
  )
 
- @override_config({"access_token_lifetime": "1m"})
+ @override_config({"refreshable_access_token_lifetime": "1m"})
  def test_refresh_token_expiration(self):
  """
  The access token should have some time as specified in the config.