Open hickford opened 1 year ago
@lunny In this case, wouldn't it make sense to delete all of the user's auth tokens?
What did you mean auth tokens
? Refresh tokens
?
I think the refresh token should be deleted, but I think the question is when. Maybe
Feature Description
When refresh token invalidation is enabled and refresh token replay attack is detected, Gitea should invalidate all refresh tokens for the client following OAuth security best practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-23#section-4.14.2
Currently Gitea simply rejects the replayed refresh token and logs a message ;