Shorten refresh token expiry for enforced SSO users

neSpecc · neSpecc · commit fbb0afc02f5b · 2026-01-12T18:25:38.000+03:00
Refresh token lifetime is now 2 days instead of 30 for users in workspaces with enforced SSO. This change applies to both standard and SAML SSO flows to improve security by requiring more frequent re-authentication.
diff --git a/src/models/user.ts b/src/models/user.ts
@@ -302,8 +302,15 @@ export default class UserModel extends AbstractModel<Omit<UserDBScheme, '_id'>>
 
   /**
    * Generates JWT
+   *
+   * @param isSsoEnforced - if true, use shorter token lifetime (2 days instead of 30)
    */
-  public async generateTokensPair(): Promise<TokensPair> {
+  public async generateTokensPair(isSsoEnforced = false): Promise<TokensPair> {
+    /**
+     * Use shorter refresh token expiry for SSO users to enforce re-authentication
+     */
+    const refreshTokenExpiry = isSsoEnforced ? '2d' : '30d';
+
     const accessToken = await jwt.sign(
       {
         userId: this._id,
@@ -317,7 +324,7 @@ export default class UserModel extends AbstractModel<Omit<UserDBScheme, '_id'>>
         userId: this._id,
       },
       process.env.JWT_SECRET_REFRESH_TOKEN as Secret,
-      { expiresIn: '30d' }
+      { expiresIn: refreshTokenExpiry }
     );
 
     return {
diff --git a/src/resolvers/user.ts b/src/resolvers/user.ts
@@ -143,7 +143,15 @@ export default {
         throw new ApolloError('There is no users with that id');
       }
 
-      return user.generateTokensPair();
+      /**
+       * Check if user is member of any workspace with enforced SSO
+       * to use shorter token lifetime
+       */
+      const workspacesIds = await user.getWorkspacesIds([]);
+      const workspaces = await factories.workspacesFactory.findManyByIds(workspacesIds);
+      const hasEnforcedSso = workspaces.some(w => w.sso?.enabled && w.sso?.enforced);
+
+      return user.generateTokensPair(hasEnforcedSso);
     },
 
     /**
diff --git a/src/sso/saml/controller.ts b/src/sso/saml/controller.ts
@@ -287,8 +287,9 @@ export default class SamlController {
 
       /**
        * 5. Create Hawk session
+       * Use shorter token lifetime for enforced SSO workspaces
        */
-      const tokens = await user.generateTokensPair();
+      const tokens = await user.generateTokensPair(workspace.sso?.enforced || false);
 
       /**
        * 6. Redirect to Garage with tokens
