Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Island: Add token type into token payload #3183

Closed
wants to merge 17 commits into from
Closed

Island: Add token type into token payload #3183

wants to merge 17 commits into from

Conversation

VakarisZ
Copy link
Contributor

@VakarisZ VakarisZ commented Mar 31, 2023
edited by mssalvatore
Loading

Token type will make sure that access tokens can't get validated for refresh tokens and vice-versa

What does this PR do?

Fixes part of #3137.

Add any further explanations here.

PR Checklist

  • Have you added an explanation of what your changes do and why you'd like to include them?
  • Is the TravisCI build passing?
  • Was the CHANGELOG.md updated to reflect the changes?
  • Was the documentation framework updated to reflect the changes?
  • Have you checked that you haven't introduced any duplicate code?

Testing Checklist

  • Added relevant unit tests?
  • Do all unit tests pass?
  • Do all end-to-end tests pass?
  • Any other testing performed?

    Tested by {Running the Monkey locally with relevant config/running Island/...}

  • If applicable, add screenshots or log transcripts of the feature working

VakarisZ and others added 17 commits March 31, 2023 11:00
@VakarisZ
Island: Add token refresh endpoint
729b36c
@cakekoa @VakarisZ
Island: Remove unused imports in token.py
c95ff82
@cakekoa @VakarisZ
Island: Add Token to package imports
ffb67cc
@cakekoa @VakarisZ
UT: Add tests for Token resource
ddec49f
@cakekoa @VakarisZ
UT: Test AuthenticationFacade.generate_new_token_pair
36a06fa
@shreyamalviya @VakarisZ
UT: Add tests for TokenValidator.get_token_payload()
a190163
@shreyamalviya @VakarisZ
UT: Add failing test for TokenValidator.validate_token()
1cf264a 
If a new refresh token is generated, even if the old token isn't expired yet,
the new one should be invalidated. We shouldn't have two valid refresh tokens
for a user.
@VakarisZ
Island: Don't expose unnecessary resources in security_service
ecf4753
@VakarisZ
Island: Register Token resource that allows token refresh
cec9735
@VakarisZ
UT: Remove unit test that asserts old refresh token invalidity
d776569 
We don't revoke old refresh tokens because they expire automatically
@VakarisZ
Island: Extract access token key name into a const
f5abbe1 
The key should be the same in requests and responses, it's best to have a constant for it
@shreyamalviya
Changelog: Add entry for 'POST api/token' endpoint
c59f10e
@shreyamalviya @VakarisZ
UT: Rename test in test_authentication_service.py
ed52eac 
Co-authored-by: VakarisZ <36815064+VakarisZ@users.noreply.github.com>
@VakarisZ
Island: Improve AuthenticationFacade.generate_new_token_pair
0b4b8ab 
Extracting token owner code and explicit validation better conveys the logic
@VakarisZ
Island: Fix "needs_registration" method and decouple from mongo
39fcc43 
This method checks for island api user registration, not registered agents. Also, authentication_facade.py shouldn't be coupled to mongodb syntax
@VakarisZ
Island: Fixup documentation of the new refresh token endpoint
53680fa
@VakarisZ
Island: Add token type into token payload
16b1ab1 
Token type will make sure that access tokens can't get validated for refresh tokens and vice-versa
VakarisZ
VakarisZ commented Mar 31, 2023
View reviewed changes
monkey/monkey_island/cc/services/authentication_service/authentication_facade.py Outdated
Comment on lines 65 to 66
self._refresh_token_validator.validate_token(refresh_token, token_type=TokenType.REFRESH)
user_uniquifier = self._refresh_token_validator.get_token_payload(refresh_token)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This becomes a bit dangerous, because the user needs to call validate first. We could include the validation into payload retrieval. In that case, we should merge the TokenValidator and TokenGenerator into the TokenSerializer.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #3181 (comment)

@mssalvatore mssalvatore force-pushed the 3137-new-token-pair-endpoint branch from 315c23c to a2ce7d3 Compare April 3, 2023 15:39
Base automatically changed from 3137-new-token-pair-endpoint to develop April 3, 2023 15:41
@mssalvatore
Copy link
Collaborator

We went a different direction.

@mssalvatore
Copy link
Collaborator

We went a different direction.

@mssalvatore mssalvatore deleted the 3137-token-types branch April 10, 2023 17:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mssalvatore mssalvatore mssalvatore left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@VakarisZ @mssalvatore @cakekoa @shreyamalviya