storage: make the access token expiration optional

crates/graphql/src/mutations/oauth2_session.rs

@@ -177,10 +177,9 @@ impl OAuth2SessionMutations {
         }
 
         let ttl = if permanent {
-            // XXX: that's lazy
-            Duration::days(365 * 50)
+            None
         } else {
-            Duration::minutes(5)
+            Some(Duration::minutes(5))
         };
         let access_token = repo
             .oauth2_access_token()

crates/handlers/src/graphql/tests.rs

@@ -13,7 +13,6 @@
 // limitations under the License.
 
 use axum::http::Request;
-use chrono::Duration;
 use hyper::StatusCode;
 use mas_data_model::{AccessToken, Client, TokenType, User};
 use mas_router::SimpleRoute;
@@ -106,13 +105,7 @@ async fn start_oauth_session(
 
     let access_token = repo
         .oauth2_access_token()
-        .add(
-            &mut rng,
-            &state.clock,
-            &session,
-            access_token_str,
-            Duration::minutes(5),
-        )
+        .add(&mut rng, &state.clock, &session, access_token_str, None)
         .await
         .unwrap();
 

crates/handlers/src/oauth2/mod.rs

@@ -115,7 +115,7 @@ pub(crate) async fn generate_token_pair<R: RepositoryAccess>(
 
     let access_token = repo
         .oauth2_access_token()
-        .add(rng, clock, session, access_token_str, ttl)
+        .add(rng, clock, session, access_token_str, Some(ttl))
         .await?;
 
     let refresh_token = repo

crates/handlers/src/oauth2/token.rs

@@ -529,7 +529,7 @@ async fn client_credentials_grant(
 
     let access_token = repo
         .oauth2_access_token()
-        .add(rng, clock, &session, access_token_str, ttl)
+        .add(rng, clock, &session, access_token_str, Some(ttl))
         .await?;
 
     let mut params = AccessTokenResponse::new(access_token.access_token).with_expires_in(ttl);

crates/storage-pg/migrations/20230911091636_oauth2_token_expiration.sql

@@ -0,0 +1,19 @@
+-- Copyright 2023 The Matrix.org Foundation C.I.C.
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+-- This makes the `expires_at` column nullable on the `oauth2_access_tokens`.
+-- This is to allow permanent tokens to be created via the admin API.
+ALTER TABLE oauth2_access_tokens
+    ALTER COLUMN expires_at DROP NOT NULL;
+

crates/storage-pg/src/oauth2/access_token.rs

@@ -42,7 +42,7 @@ struct OAuth2AccessTokenLookup {
     oauth2_session_id: Uuid,
     access_token: String,
     created_at: DateTime<Utc>,
-    expires_at: DateTime<Utc>,
+    expires_at: Option<DateTime<Utc>>,
     revoked_at: Option<DateTime<Utc>>,
 }
 
@@ -59,7 +59,7 @@ impl From<OAuth2AccessTokenLookup> for AccessToken {
             session_id: value.oauth2_session_id.into(),
             access_token: value.access_token,
             created_at: value.created_at,
-            expires_at: Some(value.expires_at),
+            expires_at: value.expires_at,
         }
     }
 }
@@ -146,10 +146,10 @@ impl<'c> OAuth2AccessTokenRepository for PgOAuth2AccessTokenRepository<'c> {
         clock: &dyn Clock,
         session: &Session,
         access_token: String,
-        expires_after: Duration,
+        expires_after: Option<Duration>,
     ) -> Result<AccessToken, Self::Error> {
         let created_at = clock.now();
-        let expires_at = created_at + expires_after;
+        let expires_at = expires_after.map(|d| created_at + d);
         let id = Ulid::from_datetime_with_source(created_at.into(), rng);
 
         tracing::Span::current().record("access_token.id", tracing::field::display(id));
@@ -177,7 +177,7 @@ impl<'c> OAuth2AccessTokenRepository for PgOAuth2AccessTokenRepository<'c> {
             access_token,
             session_id: session.id,
             created_at,
-            expires_at: Some(expires_at),
+            expires_at,
         })
     }
 

crates/storage-pg/src/oauth2/mod.rs

@@ -270,7 +270,7 @@ mod tests {
                 &clock,
                 &session,
                 "aabbcc".to_owned(),
-                Duration::minutes(5),
+                Some(Duration::minutes(5)),
             )
             .await
             .unwrap();

crates/storage/src/oauth2/access_token.rs

@@ -66,7 +66,8 @@ pub trait OAuth2AccessTokenRepository: Send + Sync {
     /// * `clock`: The clock used to generate timestamps
     /// * `session`: The session the access token is associated with
     /// * `access_token`: The access token to add
-    /// * `expires_after`: The duration after which the access token expires
+    /// * `expires_after`: The duration after which the access token expires. If
+    ///   [`None`] the access token never expires
     ///
     /// # Errors
     ///
@@ -77,7 +78,7 @@ pub trait OAuth2AccessTokenRepository: Send + Sync {
         clock: &dyn Clock,
         session: &Session,
         access_token: String,
-        expires_after: Duration,
+        expires_after: Option<Duration>,
     ) -> Result<AccessToken, Self::Error>;
 
     /// Revoke an access token
@@ -126,7 +127,7 @@ repository_impl!(OAuth2AccessTokenRepository:
         clock: &dyn Clock,
         session: &Session,
         access_token: String,
-        expires_after: Duration,
+        expires_after: Option<Duration>,
     ) -> Result<AccessToken, Self::Error>;
 
     async fn revoke(