consider client ip

This commit is contained in:
Wolfgang Hottgenroth 2021-09-12 13:58:14 +02:00
parent 3541226964
commit 0d698568d4
Signed by: wn
GPG Key ID: E49AF3B9EF6DD469

62
auth.py
View File

@ -12,6 +12,7 @@ from loguru import logger
import configparser
import random
import string
from flask import request
DB_USER = ""
@ -123,7 +124,7 @@ def getUserEntryFromDB(application: str, login: str):
if conn:
conn.close()
def getRefreshTokenFromDB(application, login):
def getRefreshTokenFromDB(application, login, httpClientIp):
conn = None
cur = None
try:
@ -148,8 +149,8 @@ def getRefreshTokenFromDB(application, login):
with conn.cursor() as cur:
salt = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(64))
cur.execute('INSERT INTO token_t ("user", salt, expiry) VALUES (%s, %s, %s) RETURNING id',
(userObj[0], salt, userObj[1]))
cur.execute('INSERT INTO token_t ("user", salt, expiry, client_ip) VALUES (%s, %s, %s, %s) RETURNING id',
(userObj[0], salt, userObj[1], httpClientIp))
tokenObj = cur.fetchone()
logger.debug("tokenObj: {}".format(tokenObj))
if not tokenObj:
@ -195,9 +196,11 @@ def generateToken(func, **args):
else:
raise KeyError("Neither application, login and password nor encAleTuple given")
logger.debug(f"Tuple: {application} {login} {password}")
httpClientIp = request.remote_addr
return func(application, login, password)
logger.debug(f"Tuple: {application} {login} {password} {httpClientIp}")
return func(application, login, password, httpClientIp)
except NoTokenException:
logger.error("no token created")
raise werkzeug.exceptions.Unauthorized()
@ -221,7 +224,7 @@ def generateToken(func, **args):
raise werkzeug.exceptions.Unauthorized()
def _makeSimpleToken(application, login, password, refresh=False):
def _makeSimpleToken(application, login, password, httpClientIp, refresh=False):
userEntry = getUserEntry(application, login, password) if not refresh else getUserEntryFromDB(application, login)
timestamp = int(time.time())
@ -239,8 +242,8 @@ def _makeSimpleToken(application, login, password, refresh=False):
return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256')
def _makeRefreshToken(application, login, password):
refreshTokenEntry = getRefreshTokenFromDB(application, login)
def _makeRefreshToken(application, login, password, httpClientIp):
refreshTokenEntry = getRefreshTokenFromDB(application, login, httpClientIp)
timestamp = int(time.time())
payload = {
@ -255,17 +258,17 @@ def _makeRefreshToken(application, login, password):
return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256')
def _makeRefreshableTokens(application, login, password):
authToken = _makeSimpleToken(application, login, password)
refreshToken = _makeRefreshToken(application, login, password)
def _makeRefreshableTokens(application, login, password, httpClientIp):
authToken = _makeSimpleToken(application, login, password, httpClientIp)
refreshToken = _makeRefreshToken(application, login, password, httpClientIp)
return {
"authToken": authToken,
"refreshToken": refreshToken
}
def generateSimpleToken(**args):
return generateToken(_makeSimpleToken, **args)
return generateToken(_makeSimpleToken, **args)
def generateRefreshableTokens(**args):
return generateToken(_makeRefreshableTokens, **args)
@ -286,18 +289,19 @@ def testToken(user, token_info):
}
def checkAndInvalidateRefreshToken(login, xid, xal):
conn = None
cur = None
def checkAndInvalidateRefreshToken(login, xid, xal, httpClientIp):
try:
validTokenFound = False
conn = psycopg2.connect(user = DB_USER, password = DB_PASS,
host = DB_HOST, database = DB_NAME)
conn.autocommit = False
with conn:
with conn.cursor() as cur:
cur.execute('SELECT t.id FROM token_t t, user_t u' +
' WHERE t.id = %s AND ' +
cur.execute('SELECT t.id, t.client_ip FROM token_t t, user_t u' +
' WHERE t.valid = true AND ' +
' t.id = %s AND ' +
' t.salt = %s AND ' +
' t."user" = u.id AND ' +
' u.login = %s',
@ -310,9 +314,19 @@ def checkAndInvalidateRefreshToken(login, xid, xal):
if invObj:
raise ManyTokensException()
with conn.cursor() as cur:
cur.execute('UPDATE token_t SET used = used + 1 WHERE id = %s',
[ xid ])
if (tokenObj[1] == httpClientIp):
with conn.cursor() as cur:
cur.execute('UPDATE token_t SET used = used + 1 WHERE id = %s',
[ xid ])
validTokenFound = True
else:
logger.warning(f"Client IP in token {tokenObj[1]} and current one {httpClientIp} does not match")
with conn.cursor() as cur:
cur.execute('UPDATE token_t SET valid = false WHERE id = %s',
[ xid ])
if (not validTokenFound):
raise NoValidTokenException()
except psycopg2.Error as err:
raise Exception("Error when connecting to database: {}".format(err))
finally:
@ -326,13 +340,15 @@ def refreshTokens(**args):
refreshTokenObj = jwt.decode(refreshToken, JWT_PUB_KEY)
logger.info(str(refreshTokenObj))
httpClientIp = request.remote_addr
if refreshTokenObj["exp"] < int(time.time()):
raise RefreshTokenExpiredException()
checkAndInvalidateRefreshToken(refreshTokenObj["sub"], refreshTokenObj["xid"], refreshTokenObj["xal"])
checkAndInvalidateRefreshToken(refreshTokenObj["sub"], refreshTokenObj["xid"], refreshTokenObj["xal"], httpClientIp)
authToken = _makeSimpleToken(refreshTokenObj["xap"], refreshTokenObj["sub"], "", refresh=True)
refreshToken = _makeRefreshToken(refreshTokenObj["xap"], refreshTokenObj["sub"], "")
authToken = _makeSimpleToken(refreshTokenObj["xap"], refreshTokenObj["sub"], "", httpClientIp, refresh=True)
refreshToken = _makeRefreshToken(refreshTokenObj["xap"], refreshTokenObj["sub"], "", httpClientIp)
return {
"authToken": authToken,
"refreshToken": refreshToken