Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement token revocation #95

Merged
merged 4 commits into from
Jul 19, 2023
Merged

Implement token revocation #95

merged 4 commits into from
Jul 19, 2023

Conversation

jameswestman
Copy link
Collaborator

For tokens with a "jti" field, query the database to see if the token has been revoked. Also, log the time it was last used, to help debug and/or recognize suspicious activity.

There are two new endpoints, to list tokens (so the backend can show the last used time and whether a token is revoked) and to revoke tokens. The idea is for the backend to keep its own record of which tokens belong to which users, and invoke these endpoints on their behalf with its own token.

I've also added a config option to allow tokens to be prefixed. This makes it easier to recognize tokens that have been accidentally published.

A6GibKm
A6GibKm reviewed Apr 1, 2023
View reviewed changes
src/tokens.rs Outdated Show resolved Hide resolved
src/api/tokens.rs
args: Json<TokenArgs>,
db: Data<Db>,
req: HttpRequest,
) -> impl Future<Item = HttpResponse, Error = ApiError> {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason to not use the async keyword? It does more than just being eye candy.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are using a very old version of Actix that uses futures 0.1, so the extra functions convert from std futures to the old ones with .compat().

src/api/tokens.rs
token_ids: Vec<String>,
}

pub fn get_tokens(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As Jamie pointed out, this is just as async as the other function, why have two?

@bilelmoussaoui
Copy link
Member

I would appreciate if we could land #92 so we don't have to keep adding more "old" way of doing things from diesel side.

@jameswestman
tokens: Make check_token async
f67aee1 
This will allow us to check the database for revocations.
@jameswestman
Implement token revocation
0ffa288 
Check the database to see if a token ID has been revoked. Also, record
the timestamp of the last time a token is used, to help debugging.

Also added a "tokenmanagement" scope and endpoints to list tokens and
revoke them.
@jameswestman
Allow auth tokens to have a prefix
6b308f1
@barthalion barthalion merged commit 7401c5d into flatpak:master Jul 19, 2023
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@A6GibKm A6GibKm A6GibKm left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jameswestman @bilelmoussaoui @A6GibKm @barthalion