It has been brought to our attention that access_tokens have been registering for 10+ years and not being set to the correct value. Although this is not a major security issue we are pushing a new update to the repo. Please update to the latest version (3.1.2) as soon as possible.
What is the issue?
Access tokens are used as a key/password for users that have granted access to their WordPress information. These tokens are to have a lifetime of X time and thus requiring the user to re authorize. The issue is that even though tokens were being created and the API said the expire time was correct, they was being entered into the database with a +10 year lifespan.
How to protect yourself?
First thing you can do is to update to the latest version of WP OAuth Server. Second thing you can do and make all access tokens in the access_tokens table null and void. You can do this by using PHPMyAdmin or a DB manager plugin.
There has been no issues reported due to this mistake and you are safe but we suggest taking the measures stated above to protect yourself fully. If you have any questions or concerns, please submit a support request.
Credit to Michael for reporting the issue.