-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #147 from SeaweedbrainCY/refresh_token
Add refresh token feature and expand the duration of the open vault
- Loading branch information
Showing
39 changed files
with
784 additions
and
101 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
from uuid import uuid4 | ||
from hashlib import sha256 | ||
from database.refresh_token_repo import RefreshTokenRepo | ||
from environment import logging | ||
import datetime as dt | ||
from CryptoClasses.jwt_func import generate_jwt, verify_jwt | ||
from connexion.exceptions import Forbidden, Unauthorized | ||
from database.rate_limiting_repo import RateLimitingRepo | ||
|
||
|
||
|
||
def generate_refresh_token(user_id, jti, expiration=-1): | ||
token = str(uuid4()) | ||
hashed_token = sha256(token.encode()).hexdigest() | ||
rt_repo = RefreshTokenRepo() | ||
rt = rt_repo.create_refresh_token(user_id, jti, hashed_token, expiration=expiration) | ||
return token if rt else None | ||
|
||
|
||
def refresh_token_flow(jti, rt, jwt_user_id, ip): | ||
rate_limiting = RateLimitingRepo() | ||
rt_repo = RefreshTokenRepo() | ||
if rt.jti == jti and rt.user_id == jwt_user_id: | ||
if rt.revoke_timestamp == None: | ||
if float(rt.expiration) > dt.datetime.now(dt.UTC).timestamp(): | ||
new_jwt = generate_jwt(rt.user_id) | ||
new_jti = verify_jwt(new_jwt)["jti"] | ||
new_refresh_token = generate_refresh_token(rt.user_id, new_jti, expiration=rt.expiration) | ||
rt_repo.revoke(rt.id) | ||
return new_jwt, new_refresh_token | ||
else: | ||
rate_limiting.add_failed_login(ip, rt.user_id) | ||
logging.warning(f"The user {rt.user_id} tried to refresh a token that has expired: {rt.id}. Refresh flow aborted. Token expired at: {rt.expiration}") | ||
raise Forbidden("Access denied") | ||
else: | ||
rate_limiting.add_failed_login(ip, rt.user_id) | ||
logging.warning(f"The user {rt.user_id} tried to refresh a token that has been revoked: {rt.id}. Refresh flow aborted. Token revoked at: {rt.revoke_timestamp}") | ||
raise Forbidden("Access denied") | ||
else: | ||
rate_limiting.add_failed_login(ip, rt.user_id) | ||
logging.warning(f"A refresh token has been asked, but invalid context for refresh token {rt.id}. Expected jti: {rt.jti}, user_id: {rt.user_id}. But git jti: {jti}, user_id: {jwt_user_id}. Refresh flow aborted.") | ||
rt_repo.revoke(rt.id) | ||
raise Forbidden("Access denied") | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
from flask import Response | ||
from environment import conf | ||
|
||
class Response(Response): | ||
def set_auth_cookies(self, jwt, refresh_token): | ||
self.set_cookie("api-key", jwt, httponly=True, secure=True, samesite="Lax", max_age=conf.api.refresh_token_validity, path="/api/") | ||
self.set_cookie("refresh-token", refresh_token, httponly=True, secure=True, samesite="Lax", max_age=conf.api.refresh_token_validity, path="/api/v1/auth/refresh") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
from database.db import db | ||
from zero_totp_db_model.model import RefreshToken | ||
import datetime | ||
from environment import conf | ||
from uuid import uuid4 | ||
|
||
|
||
class RefreshTokenRepo: | ||
|
||
def create_refresh_token(self, user_id, jti, hashed_token, expiration=-1): | ||
expiration_timestamp = (datetime.datetime.now(datetime.UTC) + datetime.timedelta(seconds=conf.api.refresh_token_validity)).timestamp() if expiration == -1 else expiration | ||
id = str(uuid4()) | ||
rt = RefreshToken(id=id, user_id=user_id, jti=jti, hashed_token=hashed_token, expiration=expiration_timestamp) | ||
db.session.add(rt) | ||
db.session.commit() | ||
return rt | ||
|
||
|
||
def get_refresh_token_by_hash(self, hashed_token): | ||
return RefreshToken.query.filter_by(hashed_token=hashed_token).first() | ||
|
||
def revoke(self, id): | ||
rt = RefreshToken.query.filter_by(id=id).first() | ||
rt.revoke_timestamp = datetime.datetime.now(datetime.UTC).timestamp() | ||
db.session.commit() | ||
return rt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.