husky icon indicating copy to clipboard operation
husky copied to clipboard
verified publisher icon captainepoch

Log out when access token expires?

Open silverpill opened this issue 4 months ago • 6 comments

Mitra uses access tokens with an expiration time and when a token expires, protected API endpoints start returning 401 Unauthorized. When that happens, Husky stops refreshing timelines but doesn't show any errors, according to reports from the users.

I don't know how other servers handle token expiry, apart from Mastodon which just generates tokens without an expiration date (issue: https://github.com/mastodon/mastodon/issues/26838). If any of them support refresh tokens, or something like that, I could copy their approach.

silverpill avatar Sep 10 '25 23:09 silverpill

Is it possible to force the token expiration to a minute or so? If I have to wait a week to test this, it's going to be forever...

captainepoch avatar Sep 13 '25 04:09 captainepoch

It's possible, but will affect other users on the instance.

I think an API method for refreshing tokens could be added. Do you know any fedi software implementing this?

silverpill avatar Sep 13 '25 19:09 silverpill

Pleroma has already this method:

https://docs-develop.pleroma.social/backend/development/API/differences_in_mastoapi_responses/#refreshing-a-token

I don't know about Mastodon. Is this posible to add to Mitra?

captainepoch avatar Sep 14 '25 06:09 captainepoch

Yes, I can add it, but there is not enough information in Pleroma docs. For example, how refresh_token is supposed to be obtained?

I found this issue: https://git.pleroma.social/pleroma/pleroma/-/issues/1721 Maybe this feature has never been finished.

silverpill avatar Sep 14 '25 18:09 silverpill

For example, how refresh_token is supposed to be obtained?

Refresh tokes are obtained together with the access token when creating the latter aligning with OAuth spec section 4.3.3 and 5.1 (note there’s a confusingly worded ”MUST NOT issue refresh token” statement about access toke responses in 4.2.2, but presumably this only forbids returning a refresh token as the acces_token parameter). Here’s the relevant token response format code:

    %{
      id: token.id,
      token_type: "Bearer",
      access_token: token.token,
      refresh_token: token.refresh_token,
      expires_in: NaiveDateTime.diff(token.valid_until, NaiveDateTime.utc_now()),
      scope: Enum.join(token.scopes, " "),
      created_at: Utils.format_created_at(token)
    }


    if user = opts[:user] do
      response
      |> Map.put(:me, user.ap_id)
    else
      response
    end

expires_in is given in seconds.

(side note: i dislike the expires_in key since its prone to mismatches from delays between calculating the offset on the server and calculating the expiry time in the client after receiving it. ~~I have no idea why Pleroma decided to use this instead of expires_at, but~~ Apparently this comes from OAuth spec and now unfortunately it’s part of the API and would require changes in all clients to avoid.)

How does Mitra signal the token expiry date?

TheOneric avatar Oct 18 '25 22:10 TheOneric

How does Mitra signal the token expiry date?

@TheOneric It doesn't. I will add expires_in as described in the RFC

Thank you for the info!

silverpill avatar Oct 19 '25 18:10 silverpill