aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2024-05-24 10:48:28 -0500
committerFrederick Muriuki Muriithi2024-05-24 10:48:28 -0500
commit75ea3002799a6323c29da1ce36aa119b12469b61 (patch)
tree559fd5f7e90004ac460802d3ea4a66002c8b9a12
parentbc712d3c392895e549b019e3cbe20c9a9c687576 (diff)
downloadgn-auth-75ea3002799a6323c29da1ce36aa119b12469b61.tar.gz
Check whether a refresh token has been used before
Check whether a refresh token has been used before using it to generate a new JWT token. If the refresh token has been used previously, it should be revoked, and an error raised. As of this commit the actual revocation process hasn't been implemented.
-rw-r--r--gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py20
1 files changed, 17 insertions, 3 deletions
diff --git a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py
index 04908bc..e178c27 100644
--- a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py
+++ b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py
@@ -125,12 +125,26 @@ def link_child_token(conn: db.DbConnection, parenttoken: str, childtoken: str):
"WHERE token=:parenttoken"),
{"parenttoken": parent.token, "childtoken": childtoken})
- def __raise_error__(_error_msg_):
+ def __check_child__(parent):
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ ("SELECT * FROM jwt_refresh_tokens WHERE token=:parenttoken"),
+ {"parenttoken": parent.token})
+ results = cursor.fetchone()
+ if results["parent_of"] is not None:
+ return Left(
+ "Refresh token has been used before. Possibly nefarious "
+ "activity detected.")
+ return Right(parent)
+
+ def __revoke_and_raise_error__(_error_msg_):
+ revoke_refresh_token(conn, parenttoken)
raise InvalidGrantError(_error_msg_)
load_refresh_token(conn, parenttoken).maybe(
- Left("Token not found"), Right).either(
- __raise_error__, __link_to_child__)
+ Left("Token not found"), Right).then(
+ __check_child__).either(__revoke_and_raise_error__,
+ __link_to_child__)
def is_refresh_token_valid(token: JWTRefreshToken, client: OAuth2Client) -> bool: