I'm having the following security concern with accessing Google Drive via rclone. The access tokens that rclone gets for Google Drive are refreshable, meaning that after they expire it is possible ot refresh them without undergoing authorization. If such token gets compromised then a third-party can refresh this token several times to access my Google Drive until I figure out that something is wrong. Fortunately, there is the command
rclone config disconnect that revokes a valid access token. This command may be used to "log out" after finished work and thus presents an extra security measure that partially mitigates my concern. But if my refreshable token by any means gets compromised before I revoke it with
rclone config disconnect, then it may be refreshed by an unauthorized third-party and
rclone config disconnect cannot revoke such token. Is my understanding right?
If so, then it would be nice to have an option to make rclone request a non-refreshable token (if possible with Google API). Also, it would be nice to specify the expire time of the token (again, if Google API allows such requests). Please excuse me if this proposal is not possible to implement, I'm not familiar with app development and Google API in particular.
Side note: Yes, I know that rclone configurations (and so access tokens) should be protected by passwords, similarly as SSH keys should be. But password protection is not 2FA and hence my concern.