-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access token invalidation should be disabled by default in 2.x #3068
Comments
Invalidate all existing sessions (delete all access tokens) after user's password was changed.
Is documentation update included in the above tasks? It's the first place I went to look when it broke. |
Good point! What page would you recommend to change? Would you mind contributing this change yourself? In my experience, documentation contributed by users tends to be the best one, because users know best what and where they were looking for in the docs. |
Actually, let's keep the documentation as part of the follow-up story #3112 |
As described in #3048, adding automatic access token invalidation to 2.x is viewed as a breaking change by some of our users.
We should add a new feature flag (model-level setting?) to 2.x to control whether access token are invalidated or not. When this flag is not set, a warning should be printed to notify users about a potential security vulnerability.
In 3.0, we should throw an exception when this flag is set to
false
, so that users upgrading from 2.x to 3.0 are forced to upgrade their code to support our automatic token invalidation.Tasks
The text was updated successfully, but these errors were encountered: