Feat: Configure refresh token expiry #4525
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
3 Ignored Deployments
|
|
@thejwuscript is attempting to deploy a commit to the Medplum Team on Vercel. A member of the Team first needs to authorize it. |
| "min" : 0, | ||
| "max" : "1", | ||
| "type" : [{ | ||
| "code" : "date" |
There was a problem hiding this comment.
for our use case we'd like to specify a value here which is relative to the current time, not a fixed date parameter.
the expiration value is passed to the jose npm package, which treats number and Date values as the fixed expiration time in the claim (reference here), however string values are converted to a time span relative to the current time (reference here) - which matches the existing behaviour with the 2w default.
i think ideally this property would be a string which could either support the full range of jose formats, or perhaps a subset of this (to allow for easier validation in the medplum middleware)
There was a problem hiding this comment.
Yes I think if we can change the name of this field to refreshTokenLifetime and make it an expiry duration as a string (eg. '2w', '1h', etc.) that maps to jose formats as @josh- pointed out, that would be ideal 👍
There was a problem hiding this comment.
@thejwuscript - just wanted to make sure you saw the above comment from @ThatOneBro . This is our main feedback on the PR
There was a problem hiding this comment.
Yes, thanks very much for the feedback. I'll be making the changes.
There was a problem hiding this comment.
@thejwuscript do you know when you'll be able to make those changes? let me know if I can help. eager to be able to use this.
There was a problem hiding this comment.
@josh- I'll try get it done by Monday.
There was a problem hiding this comment.
Looks good for the most part! Consulting with @mattwiller about where the validation should occur. Once we figure that out we should be good to go! Thanks again for your help @thejwuscript! 😄
packages/server/src/fhir/routes.ts
Outdated
| @@ -117,6 +118,9 @@ protectedRoutes.use('/bulkdata', bulkDataRouter); | |||
| // Async Job | |||
| protectedRoutes.use('/job', jobRouter); | |||
|
|
|||
| // Validate data before updating ClientApplication | |||
| protectedRoutes.put('/ClientApplication/:id', saveClientValidator); | |||
There was a problem hiding this comment.
I'm thinking this probably should not be directly in an express route, should probably be done at the FhirRouter level potentially? What do you think, @mattwiller?
I know we have talked about doing something like this across the board long term (having specific validation on a per resource basis, maybe via some "prewrite" pass)
That's definitely out of scope for this PR but would be nice to move in a more uniform direction
There was a problem hiding this comment.
I would actually propose moving this validation into the field definition itself, using a FHIRPath condition like this:
{
"id" : "ClientApplication.refreshTokenLifetime",
"path" : "ClientApplication.refreshTokenLifetime",
"definition" : "Optional configuration to set the refresh token duration",
"min" : 0,
"max" : "1",
"type" : [{
"code" : "string"
}],
"constraint" : [{
"key" : "clapp-1",
"severity" : "error",
"human" : "Token lifetime must be a valid string representing time duration (eg. 2w, 1h)",
"expression" : "$this.matches('^[0-9]+[smhdwy]$')"
}],
"base": {
"path" : "ClientApplication.refreshTokenLifetime",
"min" : 0,
"max" : "1"
}
}That way, this validation gets performed at the Repository level, any time the resource is updated anywhere in the system.
There was a problem hiding this comment.
Yeah I actually agree, this is probably the right way to do it
ThatOneBro
force-pushed
the
config-refresh-token
branch
from
a22c9f7
to
65b5f32
Compare
|
Okay I pushed a tweak applying @mattwiller's suggestion and some tests for some specific cases, after someone else approves we can push this through. Thank you @thejwuscript for taking this issue 🙏 |
## What's Changed fix(ci): fix `\n` missing due to reversal, use `git log --reverse` (#4649) Allow chained search in _filter (#4647) Polish eligibility demo (#4637) cleanup(core): remove stray `console.log` (#4653) Update sidebar.ts (#4652) Feat: Configure refresh token expiry (#4525) Dependency upgrades 2024-06-10 (#4650) cleanup(chart-demo): rm ignored `example-bots.json` (#4656) Adding instructions to the example app READMEs on how to build bots (#4660) Update useSearch.ts (#4663) Export QuestionnaireFormContext and QuestionnairePageSequence from QuestionnaireForm (#4664) Add `expo-polyfills` to README packages list (#4666) revert(react): remove export of `QuestionnairePageSequence` (#4669) Fix wrong pipe character in README (#4671) Document Terminology Service operation endpoints (#4665) Dependency upgrades 2024-06-17 (#4673) Gracefully handle no major dep upgrades (#4675) SQL on FHIR ViewDefinition types (#4674) fix(build) Update deprecated import assertion into import attribute (#4682) Fixes #4398 - add mapByIdentifier util function (#4635) Fixes #4600 - Add Auto Confirmation Parameter for Headless Deployment (#4625) fix(react-hooks): make `loading` track `MedplumClient#isLoading()` (#4677) Implements FHIRPath string join (stu) (#4683) SQL-on-FHIR processResource (#4678) feat(useSubscription): add `subscriptionProps` as optional param (#4180) Resolve conditional references (#4633) feat(subscriptions): add `unbind-from-token` message for WebSocket subscriptions (#4672) Document remaining Terminology Service operations (#4680) feat(agent): add `keepAlive` setting to `Agent` (#4657) Update README.md (#4687) Fix all copyright dates (#4689) Fixes subject input on PlanDefinitionApplyForm (#4699) Deprecate non-strict mode (#4651) Validate certain references with systemRepo (#4700) docs(useSubscription): clean up examples, add JSDoc comment (#4692) cleanup(repo): `handleMaybeCacheOnly` -> `handleStorage` (#4696) Minor fixes to Eligibility Demo (#4703) **Full Changelog**: v3.1.8...v3.1.9
## What's Changed fix(ci): fix `\n` missing due to reversal, use `git log --reverse` (#4649) Allow chained search in _filter (#4647) Polish eligibility demo (#4637) cleanup(core): remove stray `console.log` (#4653) Update sidebar.ts (#4652) Feat: Configure refresh token expiry (#4525) Dependency upgrades 2024-06-10 (#4650) cleanup(chart-demo): rm ignored `example-bots.json` (#4656) Adding instructions to the example app READMEs on how to build bots (#4660) Update useSearch.ts (#4663) Export QuestionnaireFormContext and QuestionnairePageSequence from QuestionnaireForm (#4664) Add `expo-polyfills` to README packages list (#4666) revert(react): remove export of `QuestionnairePageSequence` (#4669) Fix wrong pipe character in README (#4671) Document Terminology Service operation endpoints (#4665) Dependency upgrades 2024-06-17 (#4673) Gracefully handle no major dep upgrades (#4675) SQL on FHIR ViewDefinition types (#4674) fix(build) Update deprecated import assertion into import attribute (#4682) Fixes #4398 - add mapByIdentifier util function (#4635) Fixes #4600 - Add Auto Confirmation Parameter for Headless Deployment (#4625) fix(react-hooks): make `loading` track `MedplumClient#isLoading()` (#4677) Implements FHIRPath string join (stu) (#4683) SQL-on-FHIR processResource (#4678) feat(useSubscription): add `subscriptionProps` as optional param (#4180) Resolve conditional references (#4633) feat(subscriptions): add `unbind-from-token` message for WebSocket subscriptions (#4672) Document remaining Terminology Service operations (#4680) feat(agent): add `keepAlive` setting to `Agent` (#4657) Update README.md (#4687) Fix all copyright dates (#4689) Fixes subject input on PlanDefinitionApplyForm (#4699) Deprecate non-strict mode (#4651) Validate certain references with systemRepo (#4700) docs(useSubscription): clean up examples, add JSDoc comment (#4692) cleanup(repo): `handleMaybeCacheOnly` -> `handleStorage` (#4696) Minor fixes to Eligibility Demo (#4703) **Full Changelog**: v3.1.8...v3.1.9
Related to issue #4409
This PR allows project admins to optionally configure the expiry of a refresh token for a
ClientApplication.A
refreshTokenExpiryfield is added to theClientApplicationresource. The field is optional to allow backward compatibility. The value is used to generate theexpclaim on a refresh token.UI changes to the Medplum App is not addressed in this PR; it can be included here if necessary, or be made on a separate PR.