Skip to content
This repository has been archived by the owner on Jun 12, 2024. It is now read-only.

Security: login_required decorator never validates token expiry #16

Open
miceg opened this issue Apr 2, 2024 · 0 comments
Open

Security: login_required decorator never validates token expiry #16

miceg opened this issue Apr 2, 2024 · 0 comments

Comments

@miceg
Copy link

miceg commented Apr 2, 2024

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Sample views in this project are wrapped with a @login_required decorator:

ms-identity-python-django-tutorial/1-Authentication/sign-in/Sample/views.py

Lines 10 to 15 in bda4319

@ms_identity_web.login_required
def token_details(request):
return render(request, 'auth/token.html')
@ms_identity_web.login_required
def call_ms_graph(request):

That login_required decorator isn't as robust as Django's normal login_required decorator. It notes that checking token expiry is not implemented:

https://github.com/Azure-Samples/ms-identity-python-samples-common/blob/9b32cef36c6c0b73c1b3237fdd66128d89f90a62/ms_identity_web/__init__.py#L278-L291

identity_context_data is stored in a Django session (DjangoContextAdapter), which itself says "the following class is incomplete":

https://github.com/Azure-Samples/ms-identity-python-samples-common/blob/9b32cef36c6c0b73c1b3237fdd66128d89f90a62/ms_identity_web/adapters.py#L222-L223

This sample (and library code) allows established MS Identity sessions to live forever, as long as you can get Django to extend the session's lifetime (which it does whenever "saving" to the session) at least (by default) every 2 weeks.

This doesn't affect the use of the token with APIs that validate the expiry time.

Expected/desired behavior

Using an expired authentication token should not work on views with the @login_required decorator.

OS and Version?

any/all

Versions

Using current main branch of ms-identity-samples-common and ms-identity-python-django-tutorial.

Mention any other details that might be useful

While the bug is in https://github.com/Azure-Samples/ms-identity-python-samples-common/, this decorator only appears to be used in the context of this sample.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@miceg