aboutsummaryrefslogtreecommitdiff
path: root/gn_auth
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2024-05-24 10:48:28 -0500
committerFrederick Muriuki Muriithi2024-05-24 10:48:28 -0500
commit75ea3002799a6323c29da1ce36aa119b12469b61 (patch)
tree559fd5f7e90004ac460802d3ea4a66002c8b9a12 /gn_auth
parentbc712d3c392895e549b019e3cbe20c9a9c687576 (diff)
downloadgn-auth-75ea3002799a6323c29da1ce36aa119b12469b61.tar.gz
Check whether a refresh token has been used before
Check whether a refresh token has been used before using it to generate a new JWT token. If the refresh token has been used previously, it should be revoked, and an error raised. As of this commit the actual revocation process hasn't been implemented.
Diffstat (limited to 'gn_auth')
-rw-r--r--gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py20
1 files changed, 17 insertions, 3 deletions
diff --git a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py
index 04908bc..e178c27 100644
--- a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py
+++ b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py
@@ -125,12 +125,26 @@ def link_child_token(conn: db.DbConnection, parenttoken: str, childtoken: str):
"WHERE token=:parenttoken"),
{"parenttoken": parent.token, "childtoken": childtoken})
- def __raise_error__(_error_msg_):
+ def __check_child__(parent):
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ ("SELECT * FROM jwt_refresh_tokens WHERE token=:parenttoken"),
+ {"parenttoken": parent.token})
+ results = cursor.fetchone()
+ if results["parent_of"] is not None:
+ return Left(
+ "Refresh token has been used before. Possibly nefarious "
+ "activity detected.")
+ return Right(parent)
+
+ def __revoke_and_raise_error__(_error_msg_):
+ revoke_refresh_token(conn, parenttoken)
raise InvalidGrantError(_error_msg_)
load_refresh_token(conn, parenttoken).maybe(
- Left("Token not found"), Right).either(
- __raise_error__, __link_to_child__)
+ Left("Token not found"), Right).then(
+ __check_child__).either(__revoke_and_raise_error__,
+ __link_to_child__)
def is_refresh_token_valid(token: JWTRefreshToken, client: OAuth2Client) -> bool: