matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-31 09:24:31 +03:00
Code Activity

data-model: make the access token expiration optional

Browse Source
This commit is contained in:
Quentin Gliech
2023-09-11 11:16:12 +02:00
parent 83ca90ee3d
commit e6b91c1ce4
6 changed files with 79 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
crates/data-model/src/compat/session.rs
View File

@ -29,7 +29,7 @@ pub enum CompatSessionState {
} }
impl CompatSessionState { impl CompatSessionState {
/// Returns `true` if the compta session state is [`Valid`]. /// Returns `true` if the compat session state is [`Valid`].
/// ///
/// [`Valid`]: CompatSessionState::Valid /// [`Valid`]: CompatSessionState::Valid
#[must_use] #[must_use]
@ -37,7 +37,7 @@ impl CompatSessionState {
matches!(self, Self::Valid) matches!(self, Self::Valid)
} }
/// Returns `true` if the compta session state is [`Finished`]. /// Returns `true` if the compat session state is [`Finished`].
/// ///
/// [`Finished`]: CompatSessionState::Finished /// [`Finished`]: CompatSessionState::Finished
#[must_use] #[must_use]
@ -45,6 +45,17 @@ impl CompatSessionState {
matches!(self, Self::Finished { .. }) matches!(self, Self::Finished { .. })
} }
/// Transitions the session state to [`Finished`].
///
/// # Parameters
///
/// * `finished_at` - The time at which the session was finished.
///
/// # Errors
///
/// Returns an error if the session state is already [`Finished`].
///
/// [`Finished`]: CompatSessionState::Finished
pub fn finish(self, finished_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> { pub fn finish(self, finished_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> {
match self { match self {
Self::Valid => Ok(Self::Finished { finished_at }), Self::Valid => Ok(Self::Finished { finished_at }),
@ -80,6 +91,15 @@ impl std::ops::Deref for CompatSession {
} }
impl CompatSession { impl CompatSession {
/// Marks the session as finished.
///
/// # Parameters
///
/// * `finished_at` - The time at which the session was finished.
///
/// # Errors
///
/// Returns an error if the session is already finished.
pub fn finish(mut self, finished_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> { pub fn finish(mut self, finished_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> {
self.state = self.state.finish(finished_at)?; self.state = self.state.finish(finished_at)?;
Ok(self) Ok(self)

28
crates/data-model/src/oauth2/session.rs
View File

@ -19,14 +19,6 @@ use ulid::Ulid;
use crate::InvalidTransitionError; use crate::InvalidTransitionError;
trait T {
type State;
}
impl T for Session {
type State = SessionState;
}
#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize)] #[derive(Debug, Clone, Default, PartialEq, Eq, Serialize)]
pub enum SessionState { pub enum SessionState {
#[default] #[default]
@ -53,6 +45,17 @@ impl SessionState {
matches!(self, Self::Finished { .. }) matches!(self, Self::Finished { .. })
} }
/// Transitions the session state to [`Finished`].
///
/// # Parameters
///
/// * `finished_at` - The time at which the session was finished.
///
/// # Errors
///
/// Returns an error if the session state is already [`Finished`].
///
/// [`Finished`]: SessionState::Finished
pub fn finish(self, finished_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> { pub fn finish(self, finished_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> {
match self { match self {
Self::Valid => Ok(Self::Finished { finished_at }), Self::Valid => Ok(Self::Finished { finished_at }),
@ -81,6 +84,15 @@ impl std::ops::Deref for Session {
} }
impl Session { impl Session {
/// Marks the session as finished.
///
/// # Parameters
///
/// * `finished_at` - The time at which the session was finished.
///
/// # Errors
///
/// Returns an error if the session is already finished.
pub fn finish(mut self, finished_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> { pub fn finish(mut self, finished_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> {
self.state = self.state.finish(finished_at)?; self.state = self.state.finish(finished_at)?;
Ok(self) Ok(self)

33
crates/data-model/src/tokens.rs
View File

@ -62,7 +62,7 @@ pub struct AccessToken {
pub session_id: Ulid, pub session_id: Ulid,
pub access_token: String, pub access_token: String,
pub created_at: DateTime<Utc>, pub created_at: DateTime<Utc>,
pub expires_at: DateTime<Utc>, pub expires_at: Option<DateTime<Utc>>,
} }
impl AccessToken { impl AccessToken {
@ -71,11 +71,40 @@ impl AccessToken {
self.id.to_string() self.id.to_string()
} }
/// Whether the access token is valid, i.e. not revoked and not expired
///
/// # Parameters
///
/// * `now` - The current time
#[must_use] #[must_use]
pub fn is_valid(&self, now: DateTime<Utc>) -> bool { pub fn is_valid(&self, now: DateTime<Utc>) -> bool {
self.state.is_valid() && self.expires_at > now self.state.is_valid() && !self.is_expired(now)
} }
/// Whether the access token is expired
///
/// Always returns `false` if the access token does not have an expiry time.
///
/// # Parameters
///
/// * `now` - The current time
#[must_use]
pub fn is_expired(&self, now: DateTime<Utc>) -> bool {
match self.expires_at {
Some(expires_at) => expires_at < now,
None => false,
}
}
/// Mark the access token as revoked
///
/// # Parameters
///
/// * `revoked_at` - The time at which the access token was revoked
///
/// # Errors
///
/// Returns an error if the access token is already revoked
pub fn revoke(mut self, revoked_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> { pub fn revoke(mut self, revoked_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> {
self.state = self.state.revoke(revoked_at)?; self.state = self.state.revoke(revoked_at)?;
Ok(self) Ok(self)

6
crates/graphql/src/mutations/oauth2_session.rs
View File

@ -187,7 +187,9 @@ impl OAuth2SessionMutations {
.add(&mut rng, &clock, &session, access_token, ttl) .add(&mut rng, &clock, &session, access_token, ttl)
.await?; .await?;
let refresh_token = if !permanent { let refresh_token = if permanent {
None
} else {
let refresh_token = TokenType::RefreshToken.generate(&mut rng); let refresh_token = TokenType::RefreshToken.generate(&mut rng);
let refresh_token = repo let refresh_token = repo
@ -196,8 +198,6 @@ impl OAuth2SessionMutations {
.await?; .await?;
Some(refresh_token) Some(refresh_token)
} else {
None
}; };
Ok(CreateOAuth2SessionPayload { Ok(CreateOAuth2SessionPayload {

2
crates/handlers/src/oauth2/introspection.rs
View File

@ -209,7 +209,7 @@ pub(crate) async fn post(
client_id: Some(session.client_id.to_string()), client_id: Some(session.client_id.to_string()),
username, username,
token_type: Some(OAuthTokenTypeHint::AccessToken), token_type: Some(OAuthTokenTypeHint::AccessToken),
exp: Some(token.expires_at), exp: token.expires_at,
iat: Some(token.created_at), iat: Some(token.created_at),
nbf: Some(token.created_at), nbf: Some(token.created_at),
sub, sub,

4
crates/storage-pg/src/oauth2/access_token.rs
View File

@ -59,7 +59,7 @@ impl From<OAuth2AccessTokenLookup> for AccessToken {
session_id: value.oauth2_session_id.into(), session_id: value.oauth2_session_id.into(),
access_token: value.access_token, access_token: value.access_token,
created_at: value.created_at, created_at: value.created_at,
expires_at: value.expires_at, expires_at: Some(value.expires_at),
} }
} }
} }
@ -177,7 +177,7 @@ impl<'c> OAuth2AccessTokenRepository for PgOAuth2AccessTokenRepository<'c> {
access_token, access_token,
session_id: session.id, session_id: session.id,
created_at, created_at,
expires_at, expires_at: Some(expires_at),
}) })
} }