commit 0b648eb413a20125074b9dbcddf7ffdad3edbb70
parent a6e54d9ea77db3a019c9c3b09f014c6fdc827774
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 25 Nov 2025 18:53:35 +0900
access tokens: add hint for refreshable tokens discouraging it. Issue #10172
Diffstat:
1 file changed, 10 insertions(+), 0 deletions(-)
diff --git a/packages/merchant-backoffice-ui/src/paths/instance/accessTokens/create/CreatePage.tsx b/packages/merchant-backoffice-ui/src/paths/instance/accessTokens/create/CreatePage.tsx
@@ -43,6 +43,7 @@ import {
import { Input } from "../../../../components/form/Input.js";
import { InputDuration } from "../../../../components/form/InputDuration.js";
import { InputSelector } from "../../../../components/form/InputSelector.js";
+import { NotificationCard } from "../../../../components/menu/index.js";
import { SolveMFAChallenges } from "../../../../components/SolveMFA.js";
import { useSessionContext } from "../../../../context/session.js";
import { undefinedIfEmpty } from "../../../../utils/table.js";
@@ -164,6 +165,15 @@ export function CreatePage({ onCreated, onBack }: Props): VNode {
withForever
tooltip={i18n.str`Time the access token will be valid.`}
/>
+ {state.scope?.endsWith(":refreshable") && (
+ <NotificationCard
+ notification={{
+ type: "WARN",
+ message: i18n.str`Refreshable tokens can pose a security risk!`,
+ description: i18n.str`Refreshable tokens can be refreshed before their lifetime ends, effectively giving any bearer access without expiration. Only use this if you know what you are doing and you have evaluated associated risks especially in respect to the permissions granted by the scope.`,
+ }}
+ />
+ )}
<InputSelector
name="scope"
label={i18n.str`Scope`}
