Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds OneTimeTokenSettings #16260

Closed
wants to merge 2 commits into from
Closed

Adds OneTimeTokenSettings #16260

wants to merge 2 commits into from

Conversation

R4N
Copy link

@R4N R4N commented Dec 11, 2024

Provided to OneTimeTokenService constructors to customize expire time when generating OneTimeToken

We've started implementing OneTimeTokenLogin after it's recent inclusion in Spring Security and appreciate this great feature addition.

During testing, the default expiration time (5 minutes) seems to be sufficient. As we move towards production usage we've started considering more scenarios which we think may warrant increasing it: delayed mail delivery, user doesn't check the email right away, etc. Because of this, we're planning on increasing the expiration time slightly (to 10 or 15 minutes).

We've switched over to using JdbcOneTimeTokenService for production, but when looking for a spot to modify the expiration time, we saw that there wasn't an option present to do so.

After consulting the documentation, there is mention of modifying the one-time token expire time by creating a Custom OneTimeTokenService.

A full custom implementation to only override the expire time is potentially risky as it requires implementing/duplicating the majority of the logic (in JdbcOneTimeTokenService) which doesn't need to change in order to fulfill this type of behavior.

This PR includes:

  • A new class: OneTimeTokenSettings which has a property for the OneTimeToken timeToLive Duration
  • Overloaded Constructors for InMemoryOneTimeTokenService and JdbcOneTimeTokenService which take OneTimeTokenSettings as a parameter to set as a private field. If OneTimeTokenSettings isn't provided to the constructors, the default one is used (5 minutes timeToLive)
  • Both classes' generate implementations now use the OneTimeTokenSettings timeToLive Duration value when establishing the expire time
  • Tests in InMemoryOneTimeTokenServiceTests + JdbcOneTimeTokenServiecTests using oneTimeTokenServices with non-default OneTimeTokenSettings to confirm generation, consumption, expiration of OneTimeTokens with custom expirations based on OneTimeTokenSettings

Submitted on behalf of Zetetic, LLC

@R4N
Adds OneTimeTokenSettings
8d64036 
Provided to OneTimeTokenService constructors to customize expire
time when generating OneTimeToken
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 11, 2024
@franticticktick
Copy link
Contributor

@R4N thanks for suggestion. This is probably not something we would like to add to the framework now. At the same time, we need to think about more flexible possibilities for customizing the API of the oneTimeTokenLogin components. Could you close this PR and open a separate ticket? We will be able to discuss this task with community members and maintainers.

@R4N R4N mentioned this pull request Dec 16, 2024
Open
@R4N
Copy link
Author

R4N commented Dec 16, 2024

Will do, closed favor of this ticket with a few different implementation ideas for discussion: #16291

@R4N R4N closed this Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@R4N @franticticktick @spring-projects-issues