starred/twofactor_gateway-nextcloud

Fork 0

mirror of https://github.com/nextcloud/twofactor_gateway.git synced 2026-04-25 09:05:55 +03:00

[GH-ISSUE #134] How long is a sent access token valid? #41

New issue

Closed

opened 2026-02-26 05:32:38 +03:00 by kerem · 3 comments

kerem commented

2026-02-26 05:32:38 +03:00

Owner

Originally created by @palto42 on GitHub (Oct 14, 2018).
Original GitHub issue: https://github.com/nextcloud/twofactor_gateway/issues/134

I tried to find out how long an access token sent via the twofactor_gateway (e.g. via Signal) is valid, but it seems it doesn't automatically expire (waited >20 minutes).
Is there an expiry of the sent access tokens and if not, isn't this a security concern?

Originally created by @palto42 on GitHub (Oct 14, 2018). Original GitHub issue: https://github.com/nextcloud/twofactor_gateway/issues/134 I tried to find out how long an access token sent via the twofactor_gateway (e.g. via Signal) is valid, but it seems it doesn't automatically expire (waited >20 minutes). Is there an expiry of the sent access tokens and if not, isn't this a security concern?

kerem

2026-02-26 05:32:38 +03:00

closed this issue
added the
question
label

kerem commented

2026-02-26 05:32:39 +03:00

Author

Owner

@ChristophWurst commented on GitHub (Oct 15, 2018):

The code is currently stored in the server session: github.com/nextcloud/twofactor_gateway@f9e55f2bd1/lib/Provider/AProvider.php (L92), hence it's TTL depends on the server configuration.

It should be easy to store a generation timestamp together with the code and check expiry on code usage. Would you be interested in adding that?

@ChristophWurst commented on GitHub (Oct 15, 2018): The code is currently stored in the server session: https://github.com/nextcloud/twofactor_gateway/blob/f9e55f2bd10dc96294e4ea679fdcb08a85eda6d3/lib/Provider/AProvider.php#L92, hence it's TTL depends on the server configuration. It should be easy to store a generation timestamp together with the code and check expiry on code usage. Would you be interested in adding that?

kerem commented

2026-02-26 05:32:39 +03:00

Author

Owner

@palto42 commented on GitHub (Oct 15, 2018):

Thanks for your quick response.
In my view an expiry would be nice to have, but I have nearly no experience with PHP. If I find some time I will give it a try anyway.

@palto42 commented on GitHub (Oct 15, 2018): Thanks for your quick response. In my view an expiry would be nice to have, but I have nearly no experience with PHP. If I find some time I will give it a try anyway.

kerem commented

2026-02-26 05:32:39 +03:00

Author

Owner

@ChristophWurst commented on GitHub (Dec 21, 2018):

Closing as question was answered

@ChristophWurst commented on GitHub (Dec 21, 2018): Closing as question was answered

kerem referenced this issue

2026-02-26 05:33:46 +03:00

[PR #41] [MERGED] Add Scrutinizer config #163

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/twofactor_gateway-nextcloud#41

No description provided.

Rows
Columns