Skip to content

Make JWT token refresh optional #6433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
+19 −8
Open

Make JWT token refresh optional #6433

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
f7db782
Add option to disable refresh token renewal
Momi-V Nov 3, 2025
790df68
Add logic to make token renew optional
Momi-V Nov 3, 2025
3a000cc
Add Clone trait to TokenWrapper enum
Momi-V Nov 3, 2025
e38a5fc
Reuse original claims struct for refresh token renewal
Momi-V Nov 3, 2025
aea2b84
pass original refresh_claim into renewal function
Momi-V Nov 3, 2025
9b44d04
Pass correct type
Momi-V Nov 3, 2025
86a57fa
Add optional parameter existing_refresh_claims to AuthTokens
Momi-V Nov 3, 2025
3be4384
Add optional parameter existing_refresh_claims to AuthTokens
Momi-V Nov 3, 2025
36d55aa
Add Clone trait to RefreshJwtClaims struct
Momi-V Nov 3, 2025
b3fc25e
Clone refresh_claims.sub
Momi-V Nov 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/api/identity.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -433,7 +433,7 @@ async fn _password_login(

let twofactor_token = twofactor_auth(&mut user, &data, &mut device, ip, client_version, conn).await?;

let auth_tokens = auth::AuthTokens::new(&device, &user, AuthMethod::Password, data.client_id);
let auth_tokens = auth::AuthTokens::new(&device, &user, AuthMethod::Password, data.client_id, None);

authenticated_response(&user, &mut device, auth_tokens, twofactor_token, &now, conn, ip).await
}
Expand Down
19 changes: 13 additions & 6 deletions src/auth.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1129,13 +1129,13 @@ impl AuthMethod {
}
}

#[derive(Debug, Serialize, Deserialize)]
#[derive(Clone, Debug, Serialize, Deserialize)]
pub enum TokenWrapper {
Access(String),
Refresh(String),
}

#[derive(Debug, Serialize, Deserialize)]
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct RefreshJwtClaims {
// Not before
pub nbf: i64,
Expand Down Expand Up @@ -1175,7 +1175,7 @@ impl AuthTokens {
}

// Create refresh_token and access_token with default validity
pub fn new(device: &Device, user: &User, sub: AuthMethod, client_id: Option<String>) -> Self {
pub fn new(device: &Device, user: &User, sub: AuthMethod, client_id: Option<String>, existing_refresh_claims: Option<&RefreshJwtClaims>) -> Self {
let time_now = Utc::now();

let access_claims = LoginJwtClaims::default(device, user, &sub, client_id);
Expand All @@ -1186,7 +1186,7 @@ impl AuthTokens {
*DEFAULT_REFRESH_VALIDITY
};

let refresh_claims = RefreshJwtClaims {
let default_refresh_claims = RefreshJwtClaims {
nbf: time_now.timestamp(),
exp: (time_now + validity).timestamp(),
iss: JWT_LOGIN_ISSUER.to_string(),
Expand All @@ -1195,6 +1195,13 @@ impl AuthTokens {
token: None,
};

let refresh_claims = if CONFIG.disable_refresh_token_renewal() {
// Use existing_refresh_claims if passed and config is enabled
existing_refresh_claims.cloned().unwrap_or(default_refresh_claims)
} else {
default_refresh_claims
};

Self {
refresh_claims,
access_claims,
Expand Down Expand Up @@ -1232,14 +1239,14 @@ pub async fn refresh_tokens(

let auth_tokens = match refresh_claims.sub {
AuthMethod::Sso if CONFIG.sso_enabled() && CONFIG.sso_auth_only_not_session() => {
AuthTokens::new(&device, &user, refresh_claims.sub, client_id)
AuthTokens::new(&device, &user, refresh_claims.sub.clone(), client_id, Some(&refresh_claims))
}
AuthMethod::Sso if CONFIG.sso_enabled() => {
sso::exchange_refresh_token(&device, &user, client_id, refresh_claims).await?
}
AuthMethod::Sso => err!("SSO is now disabled, Login again using email and master password"),
AuthMethod::Password if CONFIG.sso_enabled() && CONFIG.sso_only() => err!("SSO is now required, Login again"),
AuthMethod::Password => AuthTokens::new(&device, &user, refresh_claims.sub, client_id),
AuthMethod::Password => AuthTokens::new(&device, &user, refresh_claims.sub.clone(), client_id, Some(&refresh_claims)),
_ => err!("Invalid auth method, cannot refresh token"),
};

Expand Down
4 changes: 4 additions & 0 deletions src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -706,6 +706,10 @@ make_config! {
/// Note that the checkbox would still be present, but ignored.
disable_2fa_remember: bool, true, def, false;

/// Disable refresh token renewal |> If true, disables sliding window for refresh token expiry.
/// This only renews the token on a full login (Password (+2FA), SSO, etc.) forcing a full reauth every 30 days (90 for the native app)
disable_refresh_token_renewal: bool, true, def, false;

/// Disable authenticator time drifted codes to be valid |> Enabling this only allows the current TOTP code to be valid
/// TOTP codes of the previous and next 30 seconds will be invalid.
authenticator_disable_time_drift: bool, true, def, false;
Expand Down
2 changes: 1 addition & 1 deletion src/sso.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -361,7 +361,7 @@ pub fn create_auth_tokens(

_create_auth_tokens(device, refresh_token, access_claims, access_token)
} else {
Ok(AuthTokens::new(device, user, AuthMethod::Sso, client_id))
Ok(AuthTokens::new(device, user, AuthMethod::Sso, client_id, None))
}
}

Expand Down