Skip to content

Set default `OauthAccessToken#expires_in`

Jessie Young requested to merge jy-default-expires-in into master

What does this MR do and why?

  • Part 1 of 3 for ensuring all existing OauthAccessTokens have an expiration
  • Part 2 will be to re-run a batched background migration that sets expires_in for all existing tokens. Similar to !86379 (merged)
  • The reason we need to set this default is that the Doorkeeper refresh token flow does uses expires_in value of the refresh token when creating a new token.
  • This presents a risk for the batch background migration: the migration works through the batch using a batch_max_value, which is the id of the newest oauth_access_token at the time when the migration starts.
  • While the migration is running, it is possible that oauth_access_tokens with expires_in: nil are refreshed, which would result in new tokens with expires_in: nil that have ids that are greater than batch_max_value. As a result, these new tokens would be left out of the migration and would remain in the database with expires_in: nil
  • This change ensures that any new tokens being created via the refresh flow have an expires_in value

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Create an OauthAccessToken with expires_inL nil: 
    access_token = FactoryBot.create(:oauth_access_token, expires_in: nil)
  2. Refresh the access token 
    app = OauthAccessToken.last.application
parameters = "client_id=#{app.uid}&client_secret=#{app.secret}&refresh_token=#{OauthAccessToken.last.refresh_token}&grant_type=refresh_token&redirect_uri=#{app.redirect_uri}"
RestClient.post 'http://localhost:3000/oauth/token', parameters
  3. Confirm that the newly-created token has an expires_in value of 7200 (2 hours in seconds) 
    OauthAccessToken.last

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Drew Blessing

Merge request reports