mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-04-29 23:31:07 -06:00
235cf88231
Currently we always regenerate the 2FA Remember token, and always send that back to the client. This is not the correct way, and in turn causes the remember token to never expire. While this might be convenient, it is not really safe. This commit changes the 2FA Remember Tokens from random string to a JWT. This JWT has a lifetime of 30 days and is validated per device & user combination. This does mean that once this commit is merged, and users are using this version, all their remember tokens will be invalidated. From my point of view this isn't a bad thing, since those tokens should have expired already. Only users who recently checked the remember checkbox within 30 days have to login again, but that is a minor inconvenience I think. Signed-off-by: BlackDex <black.dex@gmail.com> |
||
|---|---|---|
| .. | ||
| models | ||
| mod.rs | ||
| query_logger.rs | ||
| schema.rs | ||