wholetrans/docs-matrix-spec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

/tokenrefresh should expire the access token

Browse source 
It's possible for clients to call /tokenrefresh before the access_token has
expired, potentially leading to a proliferation of valid access_tokens.
This commit is contained in:
Richard van der Hoff 2016-07-19 09:17:14 +01:00
parent 66bfd0462b
commit ec20f15407
3 changed files with 12 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
api/client-server/login.yaml
View file

@ -90,9 +90,8 @@ paths:
refresh for a new token on failure, and retry the request with the new token. refresh for a new token on failure, and retry the request with the new token.
refresh_token: refresh_token:
type: string type: string
# TODO: Work out how to linkify /tokenrefresh
description: |- description: |-
(optional) A ``refresh_token`` may be exchanged for a new ``access_token`` using the /tokenrefresh API endpoint. Optional. A ``refresh_token`` may be exchanged for a new ``access_token`` using the |/tokenrefresh|_ API endpoint.
home_server: home_server:
type: string type: string
description: The hostname of the homeserver on which the account has been registered. description: The hostname of the homeserver on which the account has been registered.
@ -123,6 +122,11 @@ paths:
description: |- description: |-
Exchanges a refresh token for a new access token. Exchanges a refresh token for a new access token.
This is intended to be used if the access token has expired. This is intended to be used if the access token has expired.
The server MUST invalidate the supplied ``refresh_token`` if the
request is successful. It MUST also invalidate the ``access_token``
which was issued at the same time as the ``refresh_token``, if it
has not already expired.
security: security:
- accessToken: [] - accessToken: []
parameters: parameters:
@ -163,7 +167,7 @@ paths:
The access token may expire at some point, and if so, it SHOULD come with a ``refresh_token``. The access token may expire at some point, and if so, it SHOULD come with a ``refresh_token``.
refresh_token: refresh_token:
type: string type: string
description: (optional) A ``refresh_token`` may be exchanged for a new ``access_token`` using the TODO Linkify /tokenrefresh API endpoint. description: Optional. A new ``refresh_token`` which may be exchanged for another new ``access_token``.
403: 403:
description: |- description: |-
The exchange attempt failed. For example, the refresh token may have already been used. The exchange attempt failed. For example, the refresh token may have already been used.

2
changelogs/client_server.rst
View file

@ -5,6 +5,8 @@
- Spell out the way that state is handled by ``POST /createRoom`` - Spell out the way that state is handled by ``POST /createRoom``
(`#362 <https://github.com/matrix-org/matrix-doc/pull/362>`_). (`#362 <https://github.com/matrix-org/matrix-doc/pull/362>`_).
- Emphasise that ``POST /tokenrefresh`` should expire the access token
(`#363 <https://github.com/matrix-org/matrix-doc/pull/363>`_).
r0.2.0 r0.2.0
====== ======

3
specification/client_server_api.rst
View file

@ -1191,6 +1191,9 @@ have to wait in milliseconds before they can try again.
.. |/initialSync| replace:: ``/initialSync`` .. |/initialSync| replace:: ``/initialSync``
.. _/initialSync: #get-matrix-client-%CLIENT_MAJOR_VERSION%-initialsync .. _/initialSync: #get-matrix-client-%CLIENT_MAJOR_VERSION%-initialsync
.. |/tokenrefresh| replace:: ``/tokenrefresh``
.. _/tokenrefresh: #post-matrix-client-%CLIENT_MAJOR_VERSION%-tokenrefresh
.. |/sync| replace:: ``/sync`` .. |/sync| replace:: ``/sync``
.. _/sync: #get-matrix-client-%CLIENT_MAJOR_VERSION%-sync .. _/sync: #get-matrix-client-%CLIENT_MAJOR_VERSION%-sync