erp5_oauth2_authorisation: allow creating single-use refresh tokens

By default, refresh tokens generated using OAuth2 can be used as long as they
are valid. This commit introduces an option, which, when enabled, makes it
impossible to use already-used refresh tokens.

bt5/erp5_oauth2_authorisation/DocumentTemplateItem/portal_components/document.erp5.OAuth2AuthorisationServerConnector.py

@@ -90,6 +90,7 @@ from Products.ERP5Security.ERP5OAuth2ResourceServerPlugin import (
   JWT_PAYLOAD_ROLE_LIST_KEY,
   JWT_PAYLOAD_GROUP_LIST_KEY,
   JWT_PAYLOAD_SCOPE_LIST_KEY,
+  JWT_PAYLOAD_REFRESH_TOKEN_REVISION_KEY,
   JWT_CLAIM_NETWORK_LIST_KEY,
 )
 from ZPublisher.HTTPResponse import HTTPResponse
@@ -782,9 +783,20 @@ class _ERP5RequestValidator(RequestValidator):
     if session_value is not None:
       with super_user():
         session_client_id = session_value.getSourceId()
+        session_refresh_token_revision = session_value.getRefreshTokenRevision()
+
+      if client.erp5_client_value.isRefreshTokenSingleUse():
+        refresh_token_revision = self._authorisation_server_connector_value.getRevisionFromRefreshToken(
+          token=refresh_token,
+          request=request,
+        )
+        if session_refresh_token_revision != refresh_token_revision:
+          return False
+
       if session_client_id == client.client_id:
         request.user = _SessionUser(session_value)
         return True
+
     return False
 
   @staticmethod
@@ -1183,15 +1195,26 @@ class OAuth2AuthorisationServerConnector(XMLObject):
       ):
         session_value.setRefreshTokenExpirationDate(DateTime(expiration_timestamp))
       _, algorithm, symetric_key = self.__getRefreshTokenKeyList()[0]
+      jwt_payload = {
+        JWT_PAYLOAD_AUTHORISATION_SESSION_ID_KEY: session_value.getId(),
+      }
+
+      if request.client.erp5_client_value.isRefreshTokenSingleUse():
+        refresh_token_revision = session_value.getRefreshTokenRevision()
+        if refresh_token_revision is None:
+          refresh_token_revision = 1
+        else:
+          refresh_token_revision += 1
+        session_value.setRefreshTokenRevision(refresh_token_revision)
+        jwt_payload[JWT_PAYLOAD_REFRESH_TOKEN_REVISION_KEY] = refresh_token_revision
+
       return jwt.encode(
         {
           'exp': expiration_timestamp,
           'iss': request.client.client_id,
           'iat': now,
           JWT_CLAIM_NETWORK_LIST_KEY: session_value.getNetworkList(),
-          JWT_PAYLOAD_KEY: {
-            JWT_PAYLOAD_AUTHORISATION_SESSION_ID_KEY: session_value.getId(),
-          },
+          JWT_PAYLOAD_KEY: jwt_payload,
         },
         key=symetric_key,
         algorithm=algorithm,
@@ -1459,6 +1482,17 @@ class OAuth2AuthorisationServerConnector(XMLObject):
       if source_id == token_dict['iss']:
         return session_value
 
+  security.declarePrivate('getRevisionFromRefreshToken')
+  def getRevisionFromRefreshToken(self, token, request):
+    """
+    Does not check access permission.
+    """
+    try:
+      token_dict = self._getRefreshTokenDict(token, request)
+    except jwt.InvalidTokenError:
+      return
+    return token_dict[JWT_PAYLOAD_KEY][JWT_PAYLOAD_REFRESH_TOKEN_REVISION_KEY]
+
   security.declarePrivate('getSessionValueFromAccessToken')
   def getSessionValueFromAccessToken(self, token, request):
     """
@@ -1487,8 +1521,12 @@ class OAuth2AuthorisationServerConnector(XMLObject):
       refresh_token_dict = self._getRefreshTokenDict(refresh_token, request)
     except jwt.InvalidTokenError:
       return False
-    # XXX: allow refresh if exp - iat != getRefreshTokenLifespan (within some imprecision) ?
-    return time() - refresh_token_dict['iat'] > self[refresh_token_dict['iss']].getRefreshTokenLifespanAccuracy()
+    client_value = self[refresh_token_dict['iss']]
+    return (
+      client_value.isRefreshTokenSingleUse() or
+      # XXX: allow refresh if exp - iat != getRefreshTokenLifespan (within some imprecision) ?
+      time() - refresh_token_dict['iat'] > client_value.getRefreshTokenLifespanAccuracy()
+    )
 
   #
   #   Non-oauth2 methods, for use by ERP5 in the role of a resource server

bt5/erp5_oauth2_authorisation/PropertySheetTemplateItem/portal_property_sheets/OAuth2Client/refresh_token_single_use_property.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="Standard Property" module="erp5.portal_type"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>categories</string> </key>
+            <value>
+              <tuple>
+                <string>elementary_type/boolean</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>description</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>refresh_token_single_use_property</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

bt5/erp5_oauth2_authorisation/PropertySheetTemplateItem/portal_property_sheets/OAuth2Session/refresh_token_revision_property.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="Standard Property" module="erp5.portal_type"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>categories</string> </key>
+            <value>
+              <tuple>
+                <string>elementary_type/int</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>description</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>refresh_token_revision_property</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

bt5/erp5_oauth2_authorisation/SkinTemplateItem/portal_skins/erp5_oauth2_authorisation/OAuth2Client_view.xml

@@ -80,6 +80,7 @@
                         <string>my_redirect_uri_list</string>
                         <string>my_network_list</string>
                         <string>my_access_token_lifespan</string>
+                        <string>my_refresh_token_single_use</string>
                         <string>my_refresh_token_lifespan</string>
                         <string>my_refresh_token_lifespan_accuracy</string>
                         <string>my_oauth2_scope_list</string>

bt5/erp5_oauth2_authorisation/SkinTemplateItem/portal_skins/erp5_oauth2_authorisation/OAuth2Client_view/my_refresh_token_single_use.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="ProxyField" module="Products.ERP5Form.ProxyField"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>delegated_list</string> </key>
+            <value>
+              <list>
+                <string>title</string>
+              </list>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>my_refresh_token_single_use</string> </value>
+        </item>
+        <item>
+            <key> <string>message_values</string> </key>
+            <value>
+              <dictionary>
+                <item>
+                    <key> <string>external_validator_failed</string> </key>
+                    <value> <string>The input failed the external validator.</string> </value>
+                </item>
+              </dictionary>
+            </value>
+        </item>
+        <item>
+            <key> <string>overrides</string> </key>
+            <value>
+              <dictionary>
+                <item>
+                    <key> <string>field_id</string> </key>
+                    <value> <string></string> </value>
+                </item>
+                <item>
+                    <key> <string>form_id</string> </key>
+                    <value> <string></string> </value>
+                </item>
+              </dictionary>
+            </value>
+        </item>
+        <item>
+            <key> <string>tales</string> </key>
+            <value>
+              <dictionary>
+                <item>
+                    <key> <string>field_id</string> </key>
+                    <value> <string></string> </value>
+                </item>
+                <item>
+                    <key> <string>form_id</string> </key>
+                    <value> <string></string> </value>
+                </item>
+              </dictionary>
+            </value>
+        </item>
+        <item>
+            <key> <string>values</string> </key>
+            <value>
+              <dictionary>
+                <item>
+                    <key> <string>field_id</string> </key>
+                    <value> <string>my_checkbox</string> </value>
+                </item>
+                <item>
+                    <key> <string>form_id</string> </key>
+                    <value> <string>Base_viewFieldLibrary</string> </value>
+                </item>
+                <item>
+                    <key> <string>title</string> </key>
+                    <value> <string>Refresh Token Single-use</string> </value>
+                </item>
+              </dictionary>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

bt5/erp5_oauth2_authorisation/SkinTemplateItem/portal_skins/erp5_oauth2_authorisation/OAuth2Session_view.xml

@@ -97,6 +97,7 @@
                         <string>my_int_index</string>
                         <string>my_network_list</string>
                         <string>my_policy_expiration_date</string>
+                        <string>my_refresh_token_revision</string>
                         <string>my_refresh_token_expiration_date</string>
                         <string>my_expiration_date</string>
                         <string>my_translated_validation_state_title</string>

bt5/erp5_oauth2_authorisation/SkinTemplateItem/portal_skins/erp5_oauth2_authorisation/OAuth2Session_view/my_refresh_token_revision.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="ProxyField" module="Products.ERP5Form.ProxyField"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>delegated_list</string> </key>
+            <value>
+              <list>
+                <string>editable</string>
+                <string>title</string>
+              </list>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>my_refresh_token_revision</string> </value>
+        </item>
+        <item>
+            <key> <string>message_values</string> </key>
+            <value>
+              <dictionary>
+                <item>
+                    <key> <string>external_validator_failed</string> </key>
+                    <value> <string>The input failed the external validator.</string> </value>
+                </item>
+              </dictionary>
+            </value>
+        </item>
+        <item>
+            <key> <string>overrides</string> </key>
+            <value>
+              <dictionary>
+                <item>
+                    <key> <string>field_id</string> </key>
+                    <value> <string></string> </value>
+                </item>
+                <item>
+                    <key> <string>form_id</string> </key>
+                    <value> <string></string> </value>
+                </item>
+              </dictionary>
+            </value>
+        </item>
+        <item>
+            <key> <string>tales</string> </key>
+            <value>
+              <dictionary>
+                <item>
+                    <key> <string>field_id</string> </key>
+                    <value> <string></string> </value>
+                </item>
+                <item>
+                    <key> <string>form_id</string> </key>
+                    <value> <string></string> </value>
+                </item>
+              </dictionary>
+            </value>
+        </item>
+        <item>
+            <key> <string>values</string> </key>
+            <value>
+              <dictionary>
+                <item>
+                    <key> <string>editable</string> </key>
+                    <value> <int>0</int> </value>
+                </item>
+                <item>
+                    <key> <string>field_id</string> </key>
+                    <value> <string>my_string_field</string> </value>
+                </item>
+                <item>
+                    <key> <string>form_id</string> </key>
+                    <value> <string>Base_viewFieldLibrary</string> </value>
+                </item>
+                <item>
+                    <key> <string>title</string> </key>
+                    <value> <string>Refresh Token Revision</string> </value>
+                </item>
+              </dictionary>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>