Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
Stop putting a time caveat on access tokens #1656
Conversation
Some checks were not successful
| @@ -810,6 +810,10 @@ def validate_macaroon(self, macaroon, type_string, verify_expiry, user_id): | ||
| else: | ||
| v.satisfy_general(lambda c: c.startswith("time < ")) |
NegativeMjark
Nov 29, 2016
Contributor
Might as well remove the verify_expiry config option while you are at it.
NegativeMjark
Nov 29, 2016
Contributor
and put a comment explaining why we aren't ever going to check the "time < " caveats.
NegativeMjark
Nov 29, 2016
Contributor
But leave the v.satisfy_general(lambda c: c.startswith("time < ")) so that existing tokens will still work.
NegativeMjark
Nov 29, 2016
Contributor
Except you can't remove the verify_expiry option because it's used in validate_short_term_login_token_and_get_user_id
NegativeMjark
Nov 29, 2016
Contributor
But you probably want to add a comment to explain what's going on.
Some checks were not successful
richvdh
assigned
NegativeMjark
Nov 30, 2016
|
LGTM |
|
test fails seem unrelated. |
richvdh commentedNov 28, 2016
The 'time' caveat on the access tokens was something of a lie, since we weren't
enforcing it; more pertinently its presence stops us ever adding useful time
caveats.
Let's move in the right direction by not lying in our caveats.