matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-29 22:01:14 +03:00
Code Activity

Remove the last authentication from the browser session model

Browse Source
This commit is contained in:
Quentin Gliech
2023-07-19 15:31:17 +02:00
parent 7e82ae845c
commit 802cf142fd
24 changed files with 325 additions and 204 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
crates/handlers/src/oauth2/authorization/complete.rs
View File

@ -27,7 +27,8 @@ use mas_policy::PolicyFactory;
use mas_router::{PostAuthAction, Route, UrlBuilder};
use mas_storage::{
oauth2::{OAuth2AuthorizationGrantRepository, OAuth2ClientRepository, OAuth2SessionRepository},
BoxClock, BoxRepository, BoxRng,
user::BrowserSessionRepository,
BoxClock, BoxRepository, BoxRng, RepositoryAccess,
};
use mas_templates::Templates;
use oauth2_types::requests::AuthorizationResponse;
@ -194,10 +195,16 @@ pub(crate) async fn complete(
}
// Check if the authentication is fresh enough
if !browser_session.was_authenticated_after(grant.max_auth_time()) {
let authentication = repo
.browser_session()
.get_last_authentication(&browser_session)
.await?;
let authentication = authentication.filter(|auth| auth.created_at > grant.max_auth_time());
let Some(valid_authentication) = authentication else {
repo.save().await?;
return Err(GrantCompletionError::RequiresReauth);
}
};
// Run through the policy
let mut policy = policy_factory.instantiate().await?;
@ -257,6 +264,7 @@ pub(crate) async fn complete(
&grant,
&browser_session,
None,
Some(&valid_authentication),
)?);
}

8
crates/handlers/src/oauth2/mod.rs
View File

@ -16,7 +16,8 @@ use std::collections::HashMap;
use chrono::Duration;
use mas_data_model::{
AccessToken, AuthorizationGrant, BrowserSession, Client, RefreshToken, Session, TokenType,
AccessToken, Authentication, AuthorizationGrant, BrowserSession, Client, RefreshToken, Session,
TokenType,
};
use mas_iana::jose::JsonWebSignatureAlg;
use mas_jose::{
@ -60,6 +61,7 @@ pub(crate) fn generate_id_token(
grant: &AuthorizationGrant,
browser_session: &BrowserSession,
access_token: Option<&AccessToken>,
last_authentication: Option<&Authentication>,
) -> Result<String, IdTokenSignatureError> {
let mut claims = HashMap::new();
let now = clock.now();
@ -73,7 +75,7 @@ pub(crate) fn generate_id_token(
claims::NONCE.insert(&mut claims, nonce.clone())?;
}
if let Some(ref last_authentication) = browser_session.last_authentication {
if let Some(last_authentication) = last_authentication {
claims::AUTH_TIME.insert(&mut claims, last_authentication.created_at)?;
}
@ -113,7 +115,7 @@ pub(crate) async fn generate_token_pair<R: RepositoryAccess>(
let access_token = repo
.oauth2_access_token()
.add(rng, clock, session, access_token_str.clone(), ttl)
.add(rng, clock, session, access_token_str, ttl)
.await?;
let refresh_token = repo

6
crates/handlers/src/oauth2/token.rs
View File

@ -302,6 +302,11 @@ async fn authorization_code_grant(
.await?
.ok_or(RouteError::NoSuchBrowserSession)?;
let last_authentication = repo
.browser_session()
.get_last_authentication(&browser_session)
.await?;
let ttl = Duration::minutes(5);
let (access_token, refresh_token) =
generate_token_pair(&mut rng, clock, &mut repo, &session, ttl).await?;
@ -316,6 +321,7 @@ async fn authorization_code_grant(
&authz_grant,
&browser_session,
Some(&access_token),
last_authentication.as_ref(),
)?)
} else {
None

10
crates/handlers/src/upstream_oauth2/link.rs
View File

@ -214,9 +214,8 @@ pub(crate) async fn get(
.consume(&clock, upstream_session)
.await?;
let session = repo
.browser_session()
.authenticate_with_upstream(&mut rng, &clock, session, &link)
repo.browser_session()
.authenticate_with_upstream(&mut rng, &clock, &session, &link)
.await?;
cookie_jar = cookie_jar.set_session(&session);
@ -509,9 +508,8 @@ pub(crate) async fn post(
.consume(&clock, upstream_session)
.await?;
let session = repo
.browser_session()
.authenticate_with_upstream(&mut rng, &clock, session, &link)
repo.browser_session()
.authenticate_with_upstream(&mut rng, &clock, &session, &link)
.await?;
let cookie_jar = sessions_cookie

5
crates/handlers/src/views/account/password.rs
View File

@ -150,9 +150,8 @@ pub(crate) async fn post(
)
.await?;
let session = repo
.browser_session()
.authenticate_with_password(&mut rng, &clock, session, &user_password)
repo.browser_session()
.authenticate_with_password(&mut rng, &clock, &session, &user_password)
.await?;
let reply = render(&mut rng, &clock, templates.clone(), session, cookie_jar).await?;

5
crates/handlers/src/views/login.rs
View File

@ -250,9 +250,8 @@ async fn login(
.map_err(|_| FormError::Internal)?;
// And mark it as authenticated by the password
let user_session = repo
.browser_session()
.authenticate_with_password(&mut rng, clock, user_session, &user_password)
repo.browser_session()
.authenticate_with_password(&mut rng, clock, &user_session, &user_password)
.await
.map_err(|_| FormError::Internal)?;

5
crates/handlers/src/views/reauth.rs
View File

@ -147,9 +147,8 @@ pub(crate) async fn post(
};
// Mark the session as authenticated by the password
let session = repo
.browser_session()
.authenticate_with_password(&mut rng, &clock, session, &user_password)
repo.browser_session()
.authenticate_with_password(&mut rng, &clock, &session, &user_password)
.await?;
let cookie_jar = cookie_jar.set_session(&session);

5
crates/handlers/src/views/register.rs
View File

@ -209,9 +209,8 @@ pub(crate) async fn post(
let session = repo.browser_session().add(&mut rng, &clock, &user).await?;
let session = repo
.browser_session()
.authenticate_with_password(&mut rng, &clock, session, &user_password)
repo.browser_session()
.authenticate_with_password(&mut rng, &clock, &session, &user_password)
.await?;
repo.job()