refresh token expiry check

used instead of valid, token expiry check
expiry in token table
2021-09-06 21:06:12 +02:00 · 2021-09-06 18:19:39 +02:00 · 2021-09-03 19:35:30 +02:00
1 changed files with 15 additions and 7 deletions
--- a/auth.py
+++ b/auth.py
@ -38,6 +38,9 @@ except KeyError:
 class NoUserException(Exception): 
    pass
 class RefreshTokenExpiredException(Exception): 
    pass
 class NoTokenException(Exception): 
    pass
@ -145,8 +148,8 @@ def getRefreshTokenFromDB(application, login):
            with conn.cursor() as cur:
                salt = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(64))
-                cur.execute('INSERT INTO token_t ("user", salt)  VALUES (%s, %s) RETURNING id', 
+                cur.execute('INSERT INTO token_t ("user", salt, expiry)  VALUES (%s, %s, %s) RETURNING id', 
-                            (userObj[0], salt))
+                            (userObj[0], salt, userObj[1]))
                tokenObj = cur.fetchone()
                logger.debug("tokenObj: {}".format(tokenObj))
                if not tokenObj:
@ -297,19 +300,18 @@ def checkAndInvalidateRefreshToken(login, xid, xal):
                            '  WHERE t.id = %s AND ' +
                            '        t.salt = %s AND ' +
                            '        t."user" = u.id AND ' +
-                            '        u.login = %s AND ' +
+                            '        u.login = %s',
                            '        t.valid = true',
                            (xid, xal, login))
                tokenObj = cur.fetchone()
                logger.debug("tokenObj: {}".format(tokenObj))
                if not tokenObj:
-                    raise NoValidTokenException()
+                    raise NoTokenException()
                invObj = cur.fetchone()
                if invObj:
                    raise ManyTokensException()
            with conn.cursor() as cur:
-                cur.execute('UPDATE token_t SET valid = false WHERE id = %s', 
+                cur.execute('UPDATE token_t SET used = used + 1 WHERE id = %s', 
                            [ xid ])
    except psycopg2.Error as err:
        raise Exception("Error when connecting to database: {}".format(err))
@ -324,6 +326,9 @@ def refreshTokens(**args):
        refreshTokenObj = jwt.decode(refreshToken, JWT_PUB_KEY)
        logger.info(str(refreshTokenObj))
        if refreshTokenObj["exp"] < int(time.time()):
            throw RefreshTokenExpiredException()
        checkAndInvalidateRefreshToken(refreshTokenObj["sub"], refreshTokenObj["xid"], refreshTokenObj["xal"])
        authToken = _makeSimpleToken(refreshTokenObj["xap"], refreshTokenObj["sub"], "", refresh=True)
@ -335,8 +340,11 @@ def refreshTokens(**args):
    except JWTError as e:
        logger.error("jwt.decode failed: {}".format(e))
        raise werkzeug.exceptions.Unauthorized()
    except RefreshTokenExpiredException:
        logger.error("refresh token expired")
        raise werkzeug.exceptions.Unauthorized()
    except NoTokenException:
-        logger.error("no token created")
+        logger.error("no token created/found")
        raise werkzeug.exceptions.Unauthorized()
    except NoValidTokenException:
        logger.error("no valid token found")
Author	SHA1	Message	Date
Wolfgang Hottgenroth	e29ce48971	refresh token expiry check	2021-09-06 21:06:12 +02:00
Wolfgang Ludger Hottgenroth	7163db9ce9	used instead of valid, token expiry check	2021-09-06 18:19:39 +02:00
Wolfgang Ludger Hottgenroth	629a85fc3e	expiry in token table	2021-09-03 19:35:30 +02:00