fix: increase refresh token grace period

GitOrigin-RevId: 36a5d2a3038209b91452ef7b600c2b28ad8f8e45

Author: hperl

.reports/dep-licenses.csv

@@ -3,5 +3,4 @@
 "github.com/ory/x","Apache-2.0"
 "github.com/stretchr/testify","MIT"
 "go.opentelemetry.io/otel/sdk","Apache-2.0"
-"go.opentelemetry.io/otel/sdk","BSD-3-Clause"
 

driver/config/provider.go

@@ -770,20 +770,17 @@ type GracefulRefreshTokenRotation struct {
 }
 
 func (p *DefaultProvider) GracefulRefreshTokenRotation(ctx context.Context) (cfg GracefulRefreshTokenRotation) {
-	switch reuseCount := p.getProvider(ctx).IntF(KeyRefreshTokenRotationGraceReuseCount, 0); {
-	case reuseCount > math.MaxInt32:
-		cfg.Count = math.MaxInt32
-	case reuseCount < 0:
-		cfg.Count = 0
-	default:
-		cfg.Count = int32(reuseCount)
-	}
-	cfg.Period = p.getProvider(ctx).DurationF(KeyRefreshTokenRotationGracePeriod, 0)
-	if cfg.Count == 0 && cfg.Period > 5*time.Minute {
-		cfg.Period = 5 * time.Minute
-	} else if cfg.Count > 0 && cfg.Period > 30*24*time.Hour {
-		cfg.Period = 30 * 24 * time.Hour
+	//nolint:gosec
+	cfg.Count = int32(x.Clamp(p.getProvider(ctx).IntF(KeyRefreshTokenRotationGraceReuseCount, 0), 0, math.MaxInt32))
+
+	// The maximum value is 5 minutes, unless also a reuse count is configured, in
+	// which case the maximum is 180 days
+	maxPeriod := 5 * time.Minute
+	if cfg.Count > 0 {
+		maxPeriod = 180 * 24 * time.Hour
 	}
+	cfg.Period = x.Clamp(p.getProvider(ctx).DurationF(KeyRefreshTokenRotationGracePeriod, 0), 0, maxPeriod)
+
 	return
 }
 

driver/config/provider_test.go

@@ -288,8 +288,8 @@ func TestProviderValidates(t *testing.T) {
 	assert.Equal(t, 5*time.Minute, c.GracefulRefreshTokenRotation(ctx).Period)
 	require.NoError(t, c.Set(ctx, KeyRefreshTokenRotationGraceReuseCount, "2"))
 	assert.Equal(t, GracefulRefreshTokenRotation{Count: 2, Period: 2 * time.Hour}, c.GracefulRefreshTokenRotation(ctx))
-	require.NoError(t, c.Set(ctx, KeyRefreshTokenRotationGracePeriod, (time.Hour*24*90).String()))
-	assert.Equal(t, GracefulRefreshTokenRotation{Count: 2, Period: time.Hour * 24 * 30}, c.GracefulRefreshTokenRotation(ctx))
+	require.NoError(t, c.Set(ctx, KeyRefreshTokenRotationGracePeriod, (time.Hour*24*200).String()))
+	assert.Equal(t, GracefulRefreshTokenRotation{Count: 2, Period: time.Hour * 24 * 180}, c.GracefulRefreshTokenRotation(ctx))
 
 	// urls
 	assert.Equal(t, urlx.ParseOrPanic("https://issuer"), c.IssuerURL(ctx))

spec/config.json

@@ -852,7 +852,7 @@
               "properties": {
                 "rotation_grace_period": {
                   "title": "Refresh Token Rotation Grace Period",
-                  "description": "Configures how long a Refresh Token remains valid after it has been used. The maximum value is 5 minutes, unless also a reuse count is configured, in which case the maximum is 30 days.",
+                  "description": "Configures how long a Refresh Token remains valid after it has been used. The maximum value is 5 minutes, unless also a reuse count is configured, in which case the maximum is 180 days.",
                   "default": "0s",
                   "type": "string",
                   "allOf": [

x/clamp.go

@@ -0,0 +1,12 @@
+package x
+
+// Clamp clamps val to be within the range [min, max] for any integer type.
+func Clamp[T ~int | ~int8 | ~int16 | ~int32 | ~int64 | ~uint | ~uint8 | ~uint16 | ~uint32 | ~uint64](val, min, max T) T {
+	if val < min {
+		return min
+	}
+	if val > max {
+		return max
+	}
+	return val
+}