Split login_via_existing_session conf item to login_via_token.

Signed-off-by: Jason Volk <jason@zemos.net>
2026-01-24 03:01:56 +00:00
parent 7ff51a8eca
commit f048f87dac
3 changed files with 30 additions and 6 deletions
--- a/tuwunel-example.toml
+++ b/tuwunel-example.toml
@@ -785,11 +785,21 @@
 # Allow an existing session to mint a login token for another client.
 # This requires interactive authentication, but has security ramifications
 # as a malicious client could use the mechanism to spawn more than one
-# session.
-# Enabled by default.
+# session. Enabled by default.
 #
 #login_via_existing_session = true

+# Whether to enable the login token route to accept login tokens at all.
+# Login tokens may be generated by the server for authorization flows such
+# as SSO; disabling tokens may break such features.
+#
+# This option is distinct from `login_via_existing_session` and does not
+# carry the same security implications; the intent is to leave this
+# enabled while disabling the former to prevent clients from commanding
+# login token creation but without preventing the server from doing so.
+#
+#login_via_token = true
+
 # Login token expiration/TTL in milliseconds.
 #
 # These are short-lived tokens for the m.login.token endpoint.