Make OAuth token expiry configurable via env vars

backend/config/__init__.py

@@ -113,6 +113,12 @@ ROMM_AUTH_SECRET_KEY: Final[str] = _get_env("ROMM_AUTH_SECRET_KEY", "")
 if not ROMM_AUTH_SECRET_KEY:
     raise ValueError("ROMM_AUTH_SECRET_KEY environment variable is not set!")
 
+OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS: Final[int] = safe_int(
+    _get_env("OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS"), 30 * 60
+)  # 30 minutes, in seconds
+OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS: Final[int] = safe_int(
+    _get_env("OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS"), 7 * 24 * 60 * 60
+)  # 7 days, in seconds
 SESSION_MAX_AGE_SECONDS: Final[int] = safe_int(
     _get_env("SESSION_MAX_AGE_SECONDS"), 14 * 24 * 60 * 60
 )  # 14 days, in seconds

backend/endpoints/auth.py

@@ -7,6 +7,8 @@ from fastapi.responses import RedirectResponse
 from fastapi.security.http import HTTPBasic
 
 from config import (
+    OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS,
+    OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS,
     OIDC_ENABLED,
     OIDC_END_SESSION_ENDPOINT,
     OIDC_REDIRECT_URI,
@@ -28,9 +30,6 @@ from logger.formatter import highlight as hl
 from logger.logger import log
 from utils.router import APIRouter
 
-ACCESS_TOKEN_EXPIRE_SECONDS: Final = 30 * 60  # 30 minutes
-REFRESH_TOKEN_EXPIRE_DAYS: Final = 7
-
 router = APIRouter(
     tags=["auth"],
 )
@@ -147,7 +146,7 @@ async def token(form_data: Annotated[OAuth2RequestForm, Depends()]) -> TokenResp
                 "iss": "romm:oauth",
                 "scopes": claims.get("scopes"),
             },
-            expires_delta=timedelta(seconds=ACCESS_TOKEN_EXPIRE_SECONDS),
+            expires_delta=timedelta(seconds=OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS),
         )
 
         refresh_token = oauth_handler.create_refresh_token(
@@ -156,15 +155,15 @@ async def token(form_data: Annotated[OAuth2RequestForm, Depends()]) -> TokenResp
                 "iss": "romm:oauth",
                 "scopes": claims.get("scopes"),
             },
-            expires_delta=timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS),
+            expires_delta=timedelta(seconds=OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS),
         )
 
         return {
             "access_token": access_token,
             "refresh_token": refresh_token,
             "token_type": "bearer",  # trunk-ignore(bandit/B105)
-            "expires": ACCESS_TOKEN_EXPIRE_SECONDS,
-            "refresh_expires": REFRESH_TOKEN_EXPIRE_DAYS * 24 * 60 * 60,
+            "expires": OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS,
+            "refresh_expires": OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS,
         }
 
     # Authentication via username/password
@@ -214,7 +213,7 @@ async def token(form_data: Annotated[OAuth2RequestForm, Depends()]) -> TokenResp
             "iss": "romm:oauth",
             "scopes": " ".join(form_data.scopes),
         },
-        expires_delta=timedelta(seconds=ACCESS_TOKEN_EXPIRE_SECONDS),
+        expires_delta=timedelta(seconds=OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS),
     )
 
     refresh_token = oauth_handler.create_refresh_token(
@@ -223,15 +222,15 @@ async def token(form_data: Annotated[OAuth2RequestForm, Depends()]) -> TokenResp
             "iss": "romm:oauth",
             "scopes": " ".join(form_data.scopes),
         },
-        expires_delta=timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS),
+        expires_delta=timedelta(seconds=OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS),
     )
 
     return {
         "access_token": access_token,
         "refresh_token": refresh_token,
         "token_type": "bearer",  # trunk-ignore(bandit/B105)
-        "expires": ACCESS_TOKEN_EXPIRE_SECONDS,
-        "refresh_expires": REFRESH_TOKEN_EXPIRE_DAYS * 24 * 60 * 60,
+        "expires": OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS,
+        "refresh_expires": OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS,
     }
 
 

env.template

@@ -58,6 +58,8 @@ AUTHENTIK_BOOTSTRAP_PASSWORD=
 
 # Authentication
 ROMM_AUTH_SECRET_KEY=
+OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS=
+OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS=
 # Disable auth on download endpoint for 3rd party support
 DISABLE_DOWNLOAD_ENDPOINT_AUTH=
 # Disable CSRF protection for development and testing purposes