doorkeeper-gem
reuse_access_token config should be used when refreshing a token
Maybe I am wrong, but I feel like reuse_access_token should apply when refreshing a token that has not expired yet.
An improper use of the refesh_token grant type could lead to the creation of an unnecessary number of access tokens and bloat the underlying database.
I believe the only change needed to make this possible would be to replace create_for here by the find_or_create_for method of the access token mixin.
I'd disagree with this, as if you are using refresh tokens with reuse_access_token, you're explicitly saying "please generate a new access token", i.e., I think what you're proposing would render refresh tokens pointless.
I'd disagree with this, as if you are using refresh tokens with reuse_access_token, you're explicitly saying "please generate a new access token", i.e., I think what you're proposing would render refresh tokens pointless.
Well, it is definitively not pointless, since you'll need to refresh your access token eventually nonetheless.
But I understand that if you explicitly ask to refresh your current token, it could be considered weird/a bug to return the current, unexpired token. If it is a matter of security, the "good" way to invalidate your tokens would be to revoke them however.
I don't know. Maybe it should be configurable?
I'd probably say "reuse_access_token" should maybe be considered incompatible with refresh tokens? Maybe?
Token reuse in general is a really bad idea, imo, and not having expiry on tokens that are not PATs is really not a good idea, but even PATs should probably expire & be refreshed regularly.