From e29ce489714e04d3c2d8b40d064b88c233b6b214 Mon Sep 17 00:00:00 2001
From: Wolfgang Hottgenroth <wolfgang.hottgenroth@icloud.com>
Date: Mon, 6 Sep 2021 21:06:12 +0200
Subject: [PATCH] refresh token expiry check

---
 auth.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/auth.py b/auth.py
index 22b3d52..ab4c594 100755
--- a/auth.py
+++ b/auth.py
@@ -38,6 +38,9 @@ except KeyError:
 class NoUserException(Exception): 
     pass
 
+class RefreshTokenExpiredException(Exception): 
+    pass
+
 class NoTokenException(Exception): 
     pass
 
@@ -323,7 +326,8 @@ def refreshTokens(**args):
         refreshTokenObj = jwt.decode(refreshToken, JWT_PUB_KEY)
         logger.info(str(refreshTokenObj))
 
-        # FIXME: token expiry check
+        if refreshTokenObj["exp"] < int(time.time()):
+            throw RefreshTokenExpiredException()
 
         checkAndInvalidateRefreshToken(refreshTokenObj["sub"], refreshTokenObj["xid"], refreshTokenObj["xal"])
 
@@ -336,6 +340,9 @@ def refreshTokens(**args):
     except JWTError as e:
         logger.error("jwt.decode failed: {}".format(e))
         raise werkzeug.exceptions.Unauthorized()
+    except RefreshTokenExpiredException:
+        logger.error("refresh token expired")
+        raise werkzeug.exceptions.Unauthorized()
     except NoTokenException:
         logger.error("no token created/found")
         raise werkzeug.exceptions.Unauthorized()