OpenServer/OpenAuth_server
1
1
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity

Enforcing authorization_code vaild date check

Browse Source
This commit is contained in:
Fabian Stamm 2019-10-12 21:35:21 +02:00
parent f604f4f13d
commit a39d73537f
1 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/api/oauth/refresh.ts
View File

@ -13,12 +13,24 @@ import { JWTExpDur } from "../../keys";
import RefreshToken from "../../models/refresh_token"; import RefreshToken from "../../models/refresh_token";
import { getEncryptionKey } from "../../helper/user_key"; import { getEncryptionKey } from "../../helper/user_key";
// TODO:
/*
For example, the authorization server could employ refresh token
rotation in which a new refresh token is issued with every access
token refresh response. The previous refresh token is invalidated but retained by the authorization server. If a refresh token is
compromised and subsequently used by both the attacker and the
legitimate client, one of them will present an invalidated refresh
token, which will inform the authorization server of the breach.
*/
const refreshTokenValidTime = moment.duration(6, "month");
const RefreshTokenRoute = Stacker(GetClientAuthMiddleware(false, false, true), async (req: Request, res: Response) => { const RefreshTokenRoute = Stacker(GetClientAuthMiddleware(false, false, true), async (req: Request, res: Response) => {
let grant_type = req.query.grant_type || req.body.grant_type; let grant_type = req.query.grant_type || req.body.grant_type;
if (!grant_type || grant_type === "authorization_code") { if (!grant_type || grant_type === "authorization_code") {
let code = req.query.code || req.body.code; let code = req.query.code || req.body.code;
let c = await ClientCode.findOne({ code: code }) let c = await ClientCode.findOne({ code: code })
if (!c) { if (!c || moment(c.validTill).isBefore()) {
throw new RequestError(req.__("Invalid code"), HttpStatusCode.BAD_REQUEST); throw new RequestError(req.__("Invalid code"), HttpStatusCode.BAD_REQUEST);
} }
@ -33,7 +45,7 @@ const RefreshTokenRoute = Stacker(GetClientAuthMiddleware(false, false, true), a
permissions: c.permissions, permissions: c.permissions,
token: randomBytes(16).toString("hex"), token: randomBytes(16).toString("hex"),
valid: true, valid: true,
validTill: moment().add(6, "months").toDate() validTill: moment().add(refreshTokenValidTime).toDate()
}); });
await RefreshToken.save(token); await RefreshToken.save(token);
await ClientCode.delete(c); await ClientCode.delete(c);
@ -63,7 +75,11 @@ const RefreshTokenRoute = Stacker(GetClientAuthMiddleware(false, false, true), a
if (!refresh_token) throw new RequestError(req.__("refresh_token not set"), HttpStatusCode.BAD_REQUEST); if (!refresh_token) throw new RequestError(req.__("refresh_token not set"), HttpStatusCode.BAD_REQUEST);
let token = await RefreshToken.findOne({ token: refresh_token }); let token = await RefreshToken.findOne({ token: refresh_token });
if (!token) throw new RequestError(req.__("Invalid token"), HttpStatusCode.BAD_REQUEST); if (!token || !token.valid || moment(token.validTill).isBefore())
throw new RequestError(req.__("Invalid token"), HttpStatusCode.BAD_REQUEST);
token.validTill = moment().add(refreshTokenValidTime).toDate();
await RefreshToken.save(token);
let user = await User.findById(token.user); let user = await User.findById(token.user);
let client = await Client.findById(token.client) let client = await Client.findById(token.client)