From 14450dc45ffb0af4d4e45052d6ed70d0c71b94d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Toma=C5=BE=20Jerman?= <tomaz.jerman121@gmail.com>
Date: Wed, 17 Nov 2021 12:52:15 +0100
Subject: [PATCH] Add support for setting oauth token TTL

---
 auth/oauth2/oauth2.go   |  9 ++++++++-
 pkg/options/auth.gen.go |  4 ++++
 pkg/options/auth.yaml   | 12 ++++++++++++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/auth/oauth2/oauth2.go b/auth/oauth2/oauth2.go
index d443cd399..67d07eb95 100644
--- a/auth/oauth2/oauth2.go
+++ b/auth/oauth2/oauth2.go
@@ -19,7 +19,14 @@ const (
 
 func NewManager(opt options.AuthOpt, log *zap.Logger, cs oauth2.ClientStore, ts oauth2.TokenStore) *manage.Manager {
 	manager := manage.NewDefaultManager()
-	manager.SetAuthorizeCodeTokenCfg(manage.DefaultAuthorizeCodeTokenCfg)
+
+	// Here we are cloning the internal package variable as I do not think
+	// it is sane to overwrite it directly.
+	cfg := *manage.DefaultAuthorizeCodeTokenCfg
+	cfg.AccessTokenExp = opt.AccessTokenLifetime
+	cfg.RefreshTokenExp = opt.RefreshTokenLifetime
+
+	manager.SetAuthorizeCodeTokenCfg(&cfg)
 
 	// token store
 	manager.MapTokenStorage(ts)
diff --git a/pkg/options/auth.gen.go b/pkg/options/auth.gen.go
index 221bdc5e1..515746709 100644
--- a/pkg/options/auth.gen.go
+++ b/pkg/options/auth.gen.go
@@ -16,6 +16,8 @@ type (
 	AuthOpt struct {
 		LogEnabled               bool          `env:"AUTH_LOG_ENABLED"`
 		Secret                   string        `env:"AUTH_JWT_SECRET"`
+		AccessTokenLifetime      time.Duration `env:"AUTH_OAUTH2_ACCESS_TOKEN_LIFETIME"`
+		RefreshTokenLifetime     time.Duration `env:"AUTH_OAUTH2_REFRESH_TOKEN_LIFETIME"`
 		Expiry                   time.Duration `env:"AUTH_JWT_EXPIRY"`
 		ExternalRedirectURL      string        `env:"AUTH_EXTERNAL_REDIRECT_URL"`
 		ExternalCookieSecret     string        `env:"AUTH_EXTERNAL_COOKIE_SECRET"`
@@ -43,6 +45,8 @@ type (
 func Auth() (o *AuthOpt) {
 	o = &AuthOpt{
 		Secret:                   getSecretFromEnv("jwt secret"),
+		AccessTokenLifetime:      time.Hour * 2,
+		RefreshTokenLifetime:     time.Hour * 24 * 3,
 		Expiry:                   time.Hour * 24 * 30,
 		ExternalRedirectURL:      fullURL("/auth/external/{provider}/callback"),
 		ExternalCookieSecret:     getSecretFromEnv("external cookie secret"),
diff --git a/pkg/options/auth.yaml b/pkg/options/auth.yaml
index 87829f1fd..875845bae 100644
--- a/pkg/options/auth.yaml
+++ b/pkg/options/auth.yaml
@@ -22,6 +22,18 @@ props:
       Generated secret will change if you change any of these variables.
       ====
 
+  - name: accessTokenLifetime
+    type: time.Duration
+    env: AUTH_OAUTH2_ACCESS_TOKEN_LIFETIME
+    default: time.Hour * 2
+    description: Access token lifetime
+
+  - name: refreshTokenLifetime
+    type: time.Duration
+    env: AUTH_OAUTH2_REFRESH_TOKEN_LIFETIME
+    default: time.Hour * 24 * 3
+    description: Refresh token lifetime
+
   - name: expiry
     type: time.Duration
     env: AUTH_JWT_EXPIRY