Commit 36768696 authored by Vincent Pelletier's avatar Vincent Pelletier

erp5_oauth2_authorisation: Do not edit OAuth2 Session on every refresh token issuance

Malevolent users may decide to only - and repeatedly - present an otherwise
valid refresh token, causing the issuance of a new access tokens everytime,
likely along with new refresh tokens, causing many ZODB writes.
Avoid this by pushing the token expiration date by one lifespan accuracy,
so there can only be one write per session per lifespan accuracy period.
parent d7c0baf1
......@@ -1179,8 +1179,9 @@ class OAuth2AuthorisationServerConnector(XMLObject):
algorithm=algorithm,
)
def generateRefreshToken(request):
erp5_client_value = request.client.erp5_client_value
session_value = request.user.erp5_session_value
expiration_timestamp = now + request.client.erp5_client_value.getRefreshTokenLifespan()
expiration_timestamp = now + erp5_client_value.getRefreshTokenLifespan()
session_expiration_date = session_value.getPolicyExpirationDate()
if session_expiration_date is not None:
expiration_timestamp = min(
......@@ -1192,7 +1193,9 @@ class OAuth2AuthorisationServerConnector(XMLObject):
session_refresh_token_expiration_date is None or
session_refresh_token_expiration_date < DateTime(expiration_timestamp)
):
session_value.setRefreshTokenExpirationDate(DateTime(expiration_timestamp))
session_value.setRefreshTokenExpirationDate(DateTime(
expiration_timestamp + erp5_client_value.getRefreshTokenLifespanAccuracy(),
))
_, algorithm, symetric_key = self.__getRefreshTokenKeyList()[0]
return jwt.encode(
{
......
......@@ -879,8 +879,12 @@ class TestOAuth2(ERP5TypeTestCase):
# OAuth2 Session is now validated
self.assertEqual(user_session.getValidationState(), 'validated')
expiration_date = int(user_session.getExpirationDate())
self.assertLessEqual(time_before + refresh_token_lifespan, expiration_date)
self.assertLessEqual(expiration_date, time_after + refresh_token_lifespan)
refresh_token_base_offset = (
refresh_token_lifespan +
oauth2_client_declaration_value.getRefreshTokenLifespanAccuracy()
)
self.assertLessEqual(time_before + refresh_token_base_offset, expiration_date)
self.assertLessEqual(expiration_date, time_after + refresh_token_base_offset)
# Request a new access token
status, header_dict, cookie_dict, body = self._query(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment