diff options
author | Frederick Muriuki Muriithi | 2024-05-24 10:48:28 -0500 |
---|---|---|
committer | Frederick Muriuki Muriithi | 2024-05-24 10:48:28 -0500 |
commit | 75ea3002799a6323c29da1ce36aa119b12469b61 (patch) | |
tree | 559fd5f7e90004ac460802d3ea4a66002c8b9a12 | |
parent | bc712d3c392895e549b019e3cbe20c9a9c687576 (diff) | |
download | gn-auth-75ea3002799a6323c29da1ce36aa119b12469b61.tar.gz |
Check whether a refresh token has been used before
Check whether a refresh token has been used before using it to
generate a new JWT token.
If the refresh token has been used previously, it should be revoked,
and an error raised.
As of this commit the actual revocation process hasn't been implemented.
-rw-r--r-- | gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py index 04908bc..e178c27 100644 --- a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py +++ b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py @@ -125,12 +125,26 @@ def link_child_token(conn: db.DbConnection, parenttoken: str, childtoken: str): "WHERE token=:parenttoken"), {"parenttoken": parent.token, "childtoken": childtoken}) - def __raise_error__(_error_msg_): + def __check_child__(parent): + with db.cursor(conn) as cursor: + cursor.execute( + ("SELECT * FROM jwt_refresh_tokens WHERE token=:parenttoken"), + {"parenttoken": parent.token}) + results = cursor.fetchone() + if results["parent_of"] is not None: + return Left( + "Refresh token has been used before. Possibly nefarious " + "activity detected.") + return Right(parent) + + def __revoke_and_raise_error__(_error_msg_): + revoke_refresh_token(conn, parenttoken) raise InvalidGrantError(_error_msg_) load_refresh_token(conn, parenttoken).maybe( - Left("Token not found"), Right).either( - __raise_error__, __link_to_child__) + Left("Token not found"), Right).then( + __check_child__).either(__revoke_and_raise_error__, + __link_to_child__) def is_refresh_token_valid(token: JWTRefreshToken, client: OAuth2Client) -> bool: |