diff --git a/backend/config/__init__.py b/backend/config/__init__.py index ffa7a3711..60aab94e6 100644 --- a/backend/config/__init__.py +++ b/backend/config/__init__.py @@ -113,6 +113,12 @@ ROMM_AUTH_SECRET_KEY: Final[str] = _get_env("ROMM_AUTH_SECRET_KEY", "") if not ROMM_AUTH_SECRET_KEY: raise ValueError("ROMM_AUTH_SECRET_KEY environment variable is not set!") +OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS: Final[int] = safe_int( + _get_env("OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS"), 30 * 60 +) # 30 minutes, in seconds +OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS: Final[int] = safe_int( + _get_env("OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS"), 7 * 24 * 60 * 60 +) # 7 days, in seconds SESSION_MAX_AGE_SECONDS: Final[int] = safe_int( _get_env("SESSION_MAX_AGE_SECONDS"), 14 * 24 * 60 * 60 ) # 14 days, in seconds diff --git a/backend/endpoints/auth.py b/backend/endpoints/auth.py index b2e9948ee..7c820184a 100644 --- a/backend/endpoints/auth.py +++ b/backend/endpoints/auth.py @@ -7,6 +7,8 @@ from fastapi.responses import RedirectResponse from fastapi.security.http import HTTPBasic from config import ( + OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS, + OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS, OIDC_ENABLED, OIDC_END_SESSION_ENDPOINT, OIDC_REDIRECT_URI, @@ -28,9 +30,6 @@ from logger.formatter import highlight as hl from logger.logger import log from utils.router import APIRouter -ACCESS_TOKEN_EXPIRE_SECONDS: Final = 30 * 60 # 30 minutes -REFRESH_TOKEN_EXPIRE_DAYS: Final = 7 - router = APIRouter( tags=["auth"], ) @@ -147,7 +146,7 @@ async def token(form_data: Annotated[OAuth2RequestForm, Depends()]) -> TokenResp "iss": "romm:oauth", "scopes": claims.get("scopes"), }, - expires_delta=timedelta(seconds=ACCESS_TOKEN_EXPIRE_SECONDS), + expires_delta=timedelta(seconds=OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS), ) refresh_token = oauth_handler.create_refresh_token( @@ -156,15 +155,15 @@ async def token(form_data: Annotated[OAuth2RequestForm, Depends()]) -> TokenResp "iss": "romm:oauth", "scopes": claims.get("scopes"), }, - expires_delta=timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS), + expires_delta=timedelta(seconds=OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS), ) return { "access_token": access_token, "refresh_token": refresh_token, "token_type": "bearer", # trunk-ignore(bandit/B105) - "expires": ACCESS_TOKEN_EXPIRE_SECONDS, - "refresh_expires": REFRESH_TOKEN_EXPIRE_DAYS * 24 * 60 * 60, + "expires": OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS, + "refresh_expires": OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS, } # Authentication via username/password @@ -214,7 +213,7 @@ async def token(form_data: Annotated[OAuth2RequestForm, Depends()]) -> TokenResp "iss": "romm:oauth", "scopes": " ".join(form_data.scopes), }, - expires_delta=timedelta(seconds=ACCESS_TOKEN_EXPIRE_SECONDS), + expires_delta=timedelta(seconds=OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS), ) refresh_token = oauth_handler.create_refresh_token( @@ -223,15 +222,15 @@ async def token(form_data: Annotated[OAuth2RequestForm, Depends()]) -> TokenResp "iss": "romm:oauth", "scopes": " ".join(form_data.scopes), }, - expires_delta=timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS), + expires_delta=timedelta(seconds=OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS), ) return { "access_token": access_token, "refresh_token": refresh_token, "token_type": "bearer", # trunk-ignore(bandit/B105) - "expires": ACCESS_TOKEN_EXPIRE_SECONDS, - "refresh_expires": REFRESH_TOKEN_EXPIRE_DAYS * 24 * 60 * 60, + "expires": OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS, + "refresh_expires": OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS, } diff --git a/env.template b/env.template index 01edc57a7..e26eb0f8b 100644 --- a/env.template +++ b/env.template @@ -58,6 +58,8 @@ AUTHENTIK_BOOTSTRAP_PASSWORD= # Authentication ROMM_AUTH_SECRET_KEY= +OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS= +OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS= # Disable auth on download endpoint for 3rd party support DISABLE_DOWNLOAD_ENDPOINT_AUTH= # Disable CSRF protection for development and testing purposes