From c7c5c99f7ed55fadacbdb596ed0efeac04e4552e Mon Sep 17 00:00:00 2001
From: David Robertson <davidr@element.io>
Date: Wed, 10 May 2023 19:08:29 +0100
Subject: Complement: refreshing access tokens live for 1s

---
 docker/complement/conf/workers-shared-extra.yaml.j2 | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docker/complement/conf/workers-shared-extra.yaml.j2 b/docker/complement/conf/workers-shared-extra.yaml.j2
index 63acf86a46..491a4303b6 100644
--- a/docker/complement/conf/workers-shared-extra.yaml.j2
+++ b/docker/complement/conf/workers-shared-extra.yaml.j2
@@ -17,6 +17,16 @@ url_preview_ip_range_blacklist: []
 
 ## Registration ##
 
+# At present, there is no way to expire a refreshing access token without also logging
+# out the device. (The spec mandates that a refresh token is invalidated when a newer
+# access token or refresh token is used, but the original access token continues on
+# until expiry.) The default lifetime of a refreshing access tokens is 5 minutes; this
+# is too long to wait in tests that probe the behaviour of refreshing access tokens.
+#
+# As a stopgap, make refreshing access tokens last for only a second. Tests can sleep
+# for (a little over) 1s to ensure the token really has expired.
+refreshable_access_token_lifetime: 1s
+
 # Needed by Complement to register admin users
 # DO NOT USE in a production configuration! This should be a random secret.
 registration_shared_secret: complement
-- 
cgit 1.5.1