diff options
author | Frederick Muriuki Muriithi | 2024-05-24 10:48:28 -0500 |
---|---|---|
committer | Frederick Muriuki Muriithi | 2024-05-24 10:48:28 -0500 |
commit | 75ea3002799a6323c29da1ce36aa119b12469b61 (patch) | |
tree | 559fd5f7e90004ac460802d3ea4a66002c8b9a12 /gn_auth/auth | |
parent | bc712d3c392895e549b019e3cbe20c9a9c687576 (diff) | |
download | gn-auth-75ea3002799a6323c29da1ce36aa119b12469b61.tar.gz |
Check whether a refresh token has been used before
Check whether a refresh token has been used before using it to
generate a new JWT token.
If the refresh token has been used previously, it should be revoked,
and an error raised.
As of this commit the actual revocation process hasn't been implemented.
Diffstat (limited to 'gn_auth/auth')
-rw-r--r-- | gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py index 04908bc..e178c27 100644 --- a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py +++ b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py @@ -125,12 +125,26 @@ def link_child_token(conn: db.DbConnection, parenttoken: str, childtoken: str): "WHERE token=:parenttoken"), {"parenttoken": parent.token, "childtoken": childtoken}) - def __raise_error__(_error_msg_): + def __check_child__(parent): + with db.cursor(conn) as cursor: + cursor.execute( + ("SELECT * FROM jwt_refresh_tokens WHERE token=:parenttoken"), + {"parenttoken": parent.token}) + results = cursor.fetchone() + if results["parent_of"] is not None: + return Left( + "Refresh token has been used before. Possibly nefarious " + "activity detected.") + return Right(parent) + + def __revoke_and_raise_error__(_error_msg_): + revoke_refresh_token(conn, parenttoken) raise InvalidGrantError(_error_msg_) load_refresh_token(conn, parenttoken).maybe( - Left("Token not found"), Right).either( - __raise_error__, __link_to_child__) + Left("Token not found"), Right).then( + __check_child__).either(__revoke_and_raise_error__, + __link_to_child__) def is_refresh_token_valid(token: JWTRefreshToken, client: OAuth2Client) -> bool: |