From 7fff9c1bee009c7b05679ad8bd57de8bcf58e610 Mon Sep 17 00:00:00 2001
From: Ivan Tashkinov <ivantashkinov@gmail.com>
Date: Wed, 9 Dec 2020 21:14:39 +0300
Subject: [PATCH] Tweaks to OAuth entities expiration: changed default to 30
 days, removed hardcoded values usage, fixed OAuthView (expires_in).

---
 config/config.exs                                  |  2 +-
 config/description.exs                             |  2 +-
 lib/pleroma/mfa/token.ex                           |  2 +-
 lib/pleroma/web/o_auth/authorization.ex            |  4 +++-
 lib/pleroma/web/o_auth/o_auth_view.ex              |  4 +---
 lib/pleroma/web/o_auth/token.ex                    | 12 +++++++-----
 test/pleroma/web/o_auth/mfa_controller_test.exs    |  2 --
 test/pleroma/web/o_auth/o_auth_controller_test.exs |  3 ---
 8 files changed, 14 insertions(+), 17 deletions(-)

diff --git a/config/config.exs b/config/config.exs
index f7455cf97..c7ac0d22c 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -648,7 +648,7 @@
   }
 
 config :pleroma, :oauth2,
-  token_expires_in: 600,
+  token_expires_in: 3600 * 24 * 30,
   issue_new_refresh_token: true,
   clean_expired_tokens: false
 
diff --git a/config/description.exs b/config/description.exs
index a663d8127..f4b8768da 100644
--- a/config/description.exs
+++ b/config/description.exs
@@ -2540,7 +2540,7 @@
         key: :token_expires_in,
         type: :integer,
         description: "The lifetime in seconds of the access token",
-        suggestions: [600]
+        suggestions: [2_592_000]
       },
       %{
         key: :issue_new_refresh_token,
diff --git a/lib/pleroma/mfa/token.ex b/lib/pleroma/mfa/token.ex
index 82d3817cc..69b64c0e8 100644
--- a/lib/pleroma/mfa/token.ex
+++ b/lib/pleroma/mfa/token.ex
@@ -11,7 +11,7 @@ defmodule Pleroma.MFA.Token do
   alias Pleroma.User
   alias Pleroma.Web.OAuth.Authorization
 
-  @expires 3600 * 24 * 30
+  @expires 300
 
   @type t() :: %__MODULE__{}
 
diff --git a/lib/pleroma/web/o_auth/authorization.ex b/lib/pleroma/web/o_auth/authorization.ex
index 268ee5b63..e766dcada 100644
--- a/lib/pleroma/web/o_auth/authorization.ex
+++ b/lib/pleroma/web/o_auth/authorization.ex
@@ -9,6 +9,7 @@ defmodule Pleroma.Web.OAuth.Authorization do
   alias Pleroma.User
   alias Pleroma.Web.OAuth.App
   alias Pleroma.Web.OAuth.Authorization
+  alias Pleroma.Web.OAuth.Token
 
   import Ecto.Changeset
   import Ecto.Query
@@ -53,7 +54,8 @@ defp add_token(changeset) do
   end
 
   defp add_lifetime(changeset) do
-    put_change(changeset, :valid_until, NaiveDateTime.add(NaiveDateTime.utc_now(), 60 * 10))
+    lifespan = Token.lifespan()
+    put_change(changeset, :valid_until, NaiveDateTime.add(NaiveDateTime.utc_now(), lifespan))
   end
 
   @spec use_changeset(Authtorizatiton.t(), map()) :: Changeset.t()
diff --git a/lib/pleroma/web/o_auth/o_auth_view.ex b/lib/pleroma/web/o_auth/o_auth_view.ex
index f55247ebd..d22b2f7fe 100644
--- a/lib/pleroma/web/o_auth/o_auth_view.ex
+++ b/lib/pleroma/web/o_auth/o_auth_view.ex
@@ -13,7 +13,7 @@ def render("token.json", %{token: token} = opts) do
       token_type: "Bearer",
       access_token: token.token,
       refresh_token: token.refresh_token,
-      expires_in: expires_in(),
+      expires_in: NaiveDateTime.diff(token.valid_until, NaiveDateTime.utc_now()),
       scope: Enum.join(token.scopes, " "),
       created_at: Utils.format_created_at(token)
     }
@@ -25,6 +25,4 @@ def render("token.json", %{token: token} = opts) do
       response
     end
   end
-
-  defp expires_in, do: Pleroma.Config.get([:oauth2, :token_expires_in], 600)
 end
diff --git a/lib/pleroma/web/o_auth/token.ex b/lib/pleroma/web/o_auth/token.ex
index 9170a7ec7..886117d15 100644
--- a/lib/pleroma/web/o_auth/token.ex
+++ b/lib/pleroma/web/o_auth/token.ex
@@ -27,6 +27,10 @@ defmodule Pleroma.Web.OAuth.Token do
     timestamps()
   end
 
+  def lifespan do
+    Pleroma.Config.get!([:oauth2, :token_expires_in])
+  end
+
   @doc "Gets token by unique access token"
   @spec get_by_token(String.t()) :: {:ok, t()} | {:error, :not_found}
   def get_by_token(token) do
@@ -83,11 +87,11 @@ defp put_refresh_token(changeset, attrs) do
   end
 
   defp put_valid_until(changeset, attrs) do
-    expires_in =
-      Map.get(attrs, :valid_until, NaiveDateTime.add(NaiveDateTime.utc_now(), expires_in()))
+    valid_until =
+      Map.get(attrs, :valid_until, NaiveDateTime.add(NaiveDateTime.utc_now(), lifespan()))
 
     changeset
-    |> change(%{valid_until: expires_in})
+    |> change(%{valid_until: valid_until})
     |> validate_required([:valid_until])
   end
 
@@ -138,6 +142,4 @@ def is_expired?(%__MODULE__{valid_until: valid_until}) do
   end
 
   def is_expired?(_), do: false
-
-  defp expires_in, do: Pleroma.Config.get([:oauth2, :token_expires_in], 600)
 end
diff --git a/test/pleroma/web/o_auth/mfa_controller_test.exs b/test/pleroma/web/o_auth/mfa_controller_test.exs
index 3c341facd..6ecd0f6c9 100644
--- a/test/pleroma/web/o_auth/mfa_controller_test.exs
+++ b/test/pleroma/web/o_auth/mfa_controller_test.exs
@@ -171,7 +171,6 @@ test "returns access token with valid code", %{conn: conn, user: user, app: app}
       assert match?(
                %{
                  "access_token" => _,
-                 "expires_in" => 600,
                  "me" => ^ap_id,
                  "refresh_token" => _,
                  "scope" => "write",
@@ -280,7 +279,6 @@ test "returns access token with valid code", %{conn: conn, app: app} do
       assert match?(
                %{
                  "access_token" => _,
-                 "expires_in" => 600,
                  "me" => ^ap_id,
                  "refresh_token" => _,
                  "scope" => "write",
diff --git a/test/pleroma/web/o_auth/o_auth_controller_test.exs b/test/pleroma/web/o_auth/o_auth_controller_test.exs
index 3221af223..ac22856ea 100644
--- a/test/pleroma/web/o_auth/o_auth_controller_test.exs
+++ b/test/pleroma/web/o_auth/o_auth_controller_test.exs
@@ -1105,7 +1105,6 @@ test "issues a new access token with keep fresh token" do
                %{
                  "scope" => "write",
                  "token_type" => "Bearer",
-                 "expires_in" => 600,
                  "access_token" => _,
                  "refresh_token" => _,
                  "me" => ^ap_id
@@ -1145,7 +1144,6 @@ test "issues a new access token with new fresh token" do
                %{
                  "scope" => "write",
                  "token_type" => "Bearer",
-                 "expires_in" => 600,
                  "access_token" => _,
                  "refresh_token" => _,
                  "me" => ^ap_id
@@ -1228,7 +1226,6 @@ test "issues a new token if token expired" do
                %{
                  "scope" => "write",
                  "token_type" => "Bearer",
-                 "expires_in" => 600,
                  "access_token" => _,
                  "refresh_token" => _,
                  "me" => ^ap_id