about summary refs log tree commit diff
path: root/gn2
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2024-08-01 12:33:12 -0500
committerAlexander_Kabui2024-08-28 15:02:46 +0300
commitde69de2d6570837ea47dba5d11308c56c8cd86fb (patch)
tree68f931e87b6f2a6032c8a47249559f4ff0a48480 /gn2
parenta9a8ef79a10c58a514d5aac0b2b1c9000a57f9f8 (diff)
downloadgenenetwork2-de69de2d6570837ea47dba5d11308c56c8cd86fb.tar.gz
Use auto-created and auto-rotated JSON Web Keys
Use auto-created JWKs for better security.
Diffstat (limited to 'gn2')
-rw-r--r--gn2/default_settings.py6
-rw-r--r--gn2/wqflask/oauth2/toplevel.py10
2 files changed, 13 insertions, 3 deletions
diff --git a/gn2/default_settings.py b/gn2/default_settings.py
index e781f196..ab15dbe9 100644
--- a/gn2/default_settings.py
+++ b/gn2/default_settings.py
@@ -120,3 +120,9 @@ OAUTH2_CLIENT_SECRET="yadabadaboo"
 SESSION_TYPE = "redis"
 SESSION_PERMANENT = True
 SESSION_USE_SIGNER = True
+
+
+# BEGIN: JSON WEB KEYS #####
+JWKS_ROTATION_AGE_DAYS = 7 # Days (from creation) to keep a JWK in use.
+JWKS_DELETION_AGE_DAYS = 14 # Days (from creation) to keep a JWK around before deleting it.
+# END: JSON WEB KEYS #####
diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index 210b0756..7ee0773d 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -13,6 +13,7 @@ from flask import (flash,
                    render_template,
                    current_app as app)
 
+from . import jwks
 from . import session
 from .checks import require_oauth2
 from .request_utils import user_details, process_error
@@ -34,7 +35,9 @@ def authorisation_code():
     code = request.args.get("code", "")
     if bool(code):
         base_url = urlparse(request.base_url, scheme=request.scheme)
-        jwtkey = app.config["SSL_PRIVATE_KEY"]
+        jwtkey = jwks.newest_jwk_with_rotation(
+            jwks.jwks_directory(app, "GN2_SECRETS"),
+            int(app.config["JWKS_ROTATION_AGE_DAYS"]))
         issued = datetime.datetime.now()
         request_data = {
             "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
@@ -81,7 +84,7 @@ def authorisation_code():
             return redirect("/")
 
         return no_token_post(
-            "auth/token", json=request_data).either(
+            "auth/token", data=request_data).either(
                 lambda err: __error__(process_error(err)), __success__)
     flash("AuthorisationError: No code was provided.", "alert-danger")
     return redirect("/")
@@ -92,5 +95,6 @@ def public_jwks():
     """Provide endpoint that returns the public keys."""
     return jsonify({
         "documentation": "Returns a static key for the time being. This will change.",
-        "jwks": KeySet([app.config["SSL_PRIVATE_KEY"]]).as_dict().get("keys")
+        "jwks": KeySet(jwks.list_jwks(
+            jwks.jwks_directory(app, "GN2_SECRETS"))).as_dict().get("keys")
     })