matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-29 22:01:14 +03:00
Code Activity

storage: make the access token expiration optional

Browse Source
This commit is contained in:
Quentin Gliech
2023-09-11 11:37:06 +02:00
parent e6b91c1ce4
commit 9c97a0c37a
11 changed files with 36 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
crates/graphql/src/mutations/oauth2_session.rs
View File

@ -177,10 +177,9 @@ impl OAuth2SessionMutations {
} }
let ttl = if permanent { let ttl = if permanent {
// XXX: that's lazy None
Duration::days(365 * 50)
} else { } else {
Duration::minutes(5) Some(Duration::minutes(5))
}; };
let access_token = repo let access_token = repo
.oauth2_access_token() .oauth2_access_token()

9
crates/handlers/src/graphql/tests.rs
View File

@ -13,7 +13,6 @@
// limitations under the License. // limitations under the License.
use axum::http::Request; use axum::http::Request;
use chrono::Duration;
use hyper::StatusCode; use hyper::StatusCode;
use mas_data_model::{AccessToken, Client, TokenType, User}; use mas_data_model::{AccessToken, Client, TokenType, User};
use mas_router::SimpleRoute; use mas_router::SimpleRoute;
@ -106,13 +105,7 @@ async fn start_oauth_session(
let access_token = repo let access_token = repo
.oauth2_access_token() .oauth2_access_token()
.add( .add(&mut rng, &state.clock, &session, access_token_str, None)
&mut rng,
&state.clock,
&session,
access_token_str,
Duration::minutes(5),
)
.await .await
.unwrap(); .unwrap();

2
crates/handlers/src/oauth2/mod.rs
View File

@ -115,7 +115,7 @@ pub(crate) async fn generate_token_pair<R: RepositoryAccess>(
let access_token = repo let access_token = repo
.oauth2_access_token() .oauth2_access_token()
.add(rng, clock, session, access_token_str, ttl) .add(rng, clock, session, access_token_str, Some(ttl))
.await?; .await?;
let refresh_token = repo let refresh_token = repo

2
crates/handlers/src/oauth2/token.rs
View File

@ -529,7 +529,7 @@ async fn client_credentials_grant(
let access_token = repo let access_token = repo
.oauth2_access_token() .oauth2_access_token()
.add(rng, clock, &session, access_token_str, ttl) .add(rng, clock, &session, access_token_str, Some(ttl))
.await?; .await?;
let mut params = AccessTokenResponse::new(access_token.access_token).with_expires_in(ttl); let mut params = AccessTokenResponse::new(access_token.access_token).with_expires_in(ttl);

2
crates/storage-pg/.sqlx/query-477f79556e5777b38feb85013b4f04dbb8230e4b0b0bcc45f669d7b8d0b91db4.json generated
View File

@ -43,7 +43,7 @@
false, false,
false, false,
false, false,
false, true,
true, true,
false false
] ]

17
crates/storage-pg/.sqlx/query-6554d3620a5f7fb0e85af44e8a21c2f2f3ebe4b805ec67aca4a2278a8ae16693.json generated
View File

@ -1,17 +0,0 @@
{
"db_name": "PostgreSQL",
"query": "\n INSERT INTO oauth2_sessions\n ( oauth2_session_id\n , oauth2_client_id\n , scope_list\n , created_at\n )\n VALUES ($1, $2, $3, $4)\n ",
"describe": {
"columns": [],
"parameters": {
"Left": [
"Uuid",
"Uuid",
"TextArray",
"Timestamptz"
]
},
"nullable": []
},
"hash": "6554d3620a5f7fb0e85af44e8a21c2f2f3ebe4b805ec67aca4a2278a8ae16693"
}

2
crates/storage-pg/.sqlx/query-dd16942318bf38d9a245b2c86fedd3cbd6b65e7a13465552d79cd3c022122fd4.json generated
View File

@ -43,7 +43,7 @@
false, false,
false, false,
false, false,
false, true,
true, true,
false false
] ]

19
crates/storage-pg/migrations/20230911091636_oauth2_token_expiration.sql Normal file
View File

@ -0,0 +1,19 @@
-- Copyright 2023 The Matrix.org Foundation C.I.C.
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
-- This makes the `expires_at` column nullable on the `oauth2_access_tokens`.
-- This is to allow permanent tokens to be created via the admin API.
ALTER TABLE oauth2_access_tokens
ALTER COLUMN expires_at DROP NOT NULL;

10
crates/storage-pg/src/oauth2/access_token.rs
View File

@ -42,7 +42,7 @@ struct OAuth2AccessTokenLookup {
oauth2_session_id: Uuid, oauth2_session_id: Uuid,
access_token: String, access_token: String,
created_at: DateTime<Utc>, created_at: DateTime<Utc>,
expires_at: DateTime<Utc>, expires_at: Option<DateTime<Utc>>,
revoked_at: Option<DateTime<Utc>>, revoked_at: Option<DateTime<Utc>>,
} }
@ -59,7 +59,7 @@ impl From<OAuth2AccessTokenLookup> for AccessToken {
session_id: value.oauth2_session_id.into(), session_id: value.oauth2_session_id.into(),
access_token: value.access_token, access_token: value.access_token,
created_at: value.created_at, created_at: value.created_at,
expires_at: Some(value.expires_at), expires_at: value.expires_at,
} }
} }
} }
@ -146,10 +146,10 @@ impl<'c> OAuth2AccessTokenRepository for PgOAuth2AccessTokenRepository<'c> {
clock: &dyn Clock, clock: &dyn Clock,
session: &Session, session: &Session,
access_token: String, access_token: String,
expires_after: Duration, expires_after: Option<Duration>,
) -> Result<AccessToken, Self::Error> { ) -> Result<AccessToken, Self::Error> {
let created_at = clock.now(); let created_at = clock.now();
let expires_at = created_at + expires_after; let expires_at = expires_after.map(|d| created_at + d);
let id = Ulid::from_datetime_with_source(created_at.into(), rng); let id = Ulid::from_datetime_with_source(created_at.into(), rng);
tracing::Span::current().record("access_token.id", tracing::field::display(id)); tracing::Span::current().record("access_token.id", tracing::field::display(id));
@ -177,7 +177,7 @@ impl<'c> OAuth2AccessTokenRepository for PgOAuth2AccessTokenRepository<'c> {
access_token, access_token,
session_id: session.id, session_id: session.id,
created_at, created_at,
expires_at: Some(expires_at), expires_at,
}) })
} }

2
crates/storage-pg/src/oauth2/mod.rs
View File

@ -270,7 +270,7 @@ mod tests {
&clock, &clock,
&session, &session,
"aabbcc".to_owned(), "aabbcc".to_owned(),
Duration::minutes(5), Some(Duration::minutes(5)),
) )
.await .await
.unwrap(); .unwrap();

7
crates/storage/src/oauth2/access_token.rs
View File

@ -66,7 +66,8 @@ pub trait OAuth2AccessTokenRepository: Send + Sync {
/// * `clock`: The clock used to generate timestamps /// * `clock`: The clock used to generate timestamps
/// * `session`: The session the access token is associated with /// * `session`: The session the access token is associated with
/// * `access_token`: The access token to add /// * `access_token`: The access token to add
/// * `expires_after`: The duration after which the access token expires /// * `expires_after`: The duration after which the access token expires. If
/// [`None`] the access token never expires
/// ///
/// # Errors /// # Errors
/// ///
@ -77,7 +78,7 @@ pub trait OAuth2AccessTokenRepository: Send + Sync {
clock: &dyn Clock, clock: &dyn Clock,
session: &Session, session: &Session,
access_token: String, access_token: String,
expires_after: Duration, expires_after: Option<Duration>,
) -> Result<AccessToken, Self::Error>; ) -> Result<AccessToken, Self::Error>;
/// Revoke an access token /// Revoke an access token
@ -126,7 +127,7 @@ repository_impl!(OAuth2AccessTokenRepository:
clock: &dyn Clock, clock: &dyn Clock,
session: &Session, session: &Session,
access_token: String, access_token: String,
expires_after: Duration, expires_after: Option<Duration>,
) -> Result<AccessToken, Self::Error>; ) -> Result<AccessToken, Self::Error>;
async fn revoke( async fn revoke(