AAP-43751 Reduce default token expiry from 1000 years to 1 year (#710)

markafarrell · Bryan Havenstein · web-flow · commit 30cf49a78d07 · 2025-05-20T10:28:42.000-06:00
---------

Co-authored-by: Bryan Havenstein &lt;bhavenst@redhat.com&gt;
diff --git a/ansible_base/lib/dynamic_config/settings_logic.py b/ansible_base/lib/dynamic_config/settings_logic.py
@@ -265,7 +265,7 @@ def get_mergeable_dab_settings(settings: dict) -> dict:  # NOSONAR
         if 'oauth2_provider' not in installed_apps:
             installed_apps.append('oauth2_provider')
 
-        oauth2_provider.setdefault('ACCESS_TOKEN_EXPIRE_SECONDS', 31536000000)
+        oauth2_provider.setdefault('ACCESS_TOKEN_EXPIRE_SECONDS', 31536000)  # 1 year
         oauth2_provider.setdefault('AUTHORIZATION_CODE_EXPIRE_SECONDS', 600)
         oauth2_provider.setdefault('REFRESH_TOKEN_EXPIRE_SECONDS', 2628000)
         # For compat with awx, we don't require PKCE, but the new version
diff --git a/test_app/tests/oauth2_provider/test_authentication.py b/test_app/tests/oauth2_provider/test_authentication.py
@@ -1,3 +1,4 @@
+from datetime import datetime, timedelta, timezone
 from unittest import mock
 
 import pytest
@@ -50,6 +51,15 @@ def test_oauth2_bearer_get(unauthenticated_api_client, oauth2_admin_access_token
         assert response.data['name'] == animal.name
 
 
+@pytest.mark.django_db
+def test_oauth2_token_expiry(oauth2_admin_access_token):
+    """
+    Verify default expiration is 1 year
+    """
+    token = oauth2_admin_access_token[0]
+    assert token.expires < datetime.now(tz=timezone.utc) + timedelta(weeks=53)
+
+
 @pytest.mark.parametrize(
     'token, expected',
     [
