only check if password has changed on jwt refresh

2026-04-11 17:47:37 +03:00 · 2025-12-08 08:30:12 -06:00 · 2025-12-08 08:30:12 -06:00 · 2a78ae4bfb
commit 2a78ae4bfb
parent e7b35df2f1
3 changed files with 21 additions and 20 deletions
--- a/docs/docs/configuration/reference.md
+++ b/docs/docs/configuration/reference.md
@ -123,7 +123,7 @@ auth:
  # Optional: Refresh time in seconds (default: shown below)
  # When the session is going to expire in less time than this setting,
  # it will be refreshed back to the session_length.
-  refresh_time: 43200 # 12 hours
+  refresh_time: 1800 # 30 minutes
  # Optional: Rate limiting for login failures to help prevent brute force
  # login attacks (default: shown below)
  # See the docs for more information on valid values
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@ -648,27 +648,28 @@ def auth(request: Request):
            logger.debug("jwt token expired")
            return fail_response

-        # Check if password has been changed after token was issued
-        try:
-            user_obj = User.get_by_id(user)
-            # Only invalidate token if password was changed after token was issued
-            if user_obj.password_changed_at is not None:
-                token_iat = int(token.claims.get("iat", 0))
-                password_changed_timestamp = int(
-                    user_obj.password_changed_at.timestamp()
-                )
-                if token_iat < password_changed_timestamp:
-                    logger.debug(
-                        "jwt token issued before password change, invalidating token"
-                    )
-                    return fail_response
-        except DoesNotExist:
-            logger.debug("user not found")
-            return fail_response
-
        # if the jwt cookie is expiring soon
        if jwt_source == "cookie" and expiration - JWT_REFRESH <= current_time:
            logger.debug("jwt token expiring soon, refreshing cookie")
+
+            # Check if password has been changed since token was issued
+            # If so, force re-login by rejecting the refresh
+            try:
+                user_obj = User.get_by_id(user)
+                if user_obj.password_changed_at is not None:
+                    token_iat = int(token.claims.get("iat", 0))
+                    password_changed_timestamp = int(
+                        user_obj.password_changed_at.timestamp()
+                    )
+                    if token_iat < password_changed_timestamp:
+                        logger.debug(
+                            "jwt token issued before password change, rejecting refresh"
+                        )
+                        return fail_response
+            except DoesNotExist:
+                logger.debug("user not found")
+                return fail_response
+
            new_expiration = current_time + JWT_SESSION_LENGTH
            new_encoded_jwt = create_encoded_jwt(
                user, role, new_expiration, request.app.jwt_token
--- a/frigate/config/auth.py
+++ b/frigate/config/auth.py
@ -20,7 +20,7 @@ class AuthConfig(FrigateBaseModel):
        default=86400, title="Session length for jwt session tokens", ge=60
    )
    refresh_time: int = Field(
-        default=43200,
+        default=1800,
        title="Refresh the session if it is going to expire in this many seconds",
        ge=30,
    )