View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0009651 | Taler | merchant backend | public | 2025-03-23 19:43 | 2025-03-24 13:47 |
| Reporter | schanzen | Assigned To | schanzen | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | assigned | Resolution | open | ||
| Target Version | 1.1 | ||||
| Summary | 0009651: When changing the instance password we may want to revoke old access tokens | ||||
| Description | Currently, unless the tokens expire or are explicitly revoked, they stay valid even if the instance password is changed. We may want to think about revoking all old tokens issued before the change. | ||||
| Tags | No tags attached. | ||||
|
|
I think this should be an option. Just because someone changes their instance password doesn't mean that they intend to revoke all access tokens. So the SPA could have a checkbox "revoke access tokens" and submit that boolean with the password change request. I guess the safe(r) default is to set it by default, but I think there are legitimate cases where you want the access tokens to remain valid, so we should give users a way to disable that. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-03-23 19:43 | schanzen | New Issue | |
| 2025-03-23 19:43 | schanzen | Status | new => assigned |
| 2025-03-23 19:43 | schanzen | Assigned To | => Christian Grothoff |
| 2025-03-23 19:43 | schanzen | Relationship added | related to 0009556 |
| 2025-03-24 13:47 | Christian Grothoff | Note Added: 0024295 | |
| 2025-03-24 13:47 | Christian Grothoff | Assigned To | Christian Grothoff => schanzen |
