Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a maximum ttl to auth:login #1318

Merged
merged 3 commits into from
Jun 11, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .kuzzlerc.sample
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,10 @@
// * gracePeriod:
// Duration in ms during which a renewed jwt is still
// considered valid
// * maxTTL:
// Maximum duration in milliseconds a token can be requested
// to be valid.
// If set to -1 (default), no maximum duration is set.
// * secret:
// String or buffer data containing either the secret for HMAC
// algorithms, or the PEM encoded private key for RSA and ECDSA.
Expand All @@ -158,6 +162,7 @@
"algorithm": "HS256",
"expiresIn": "1h",
"gracePeriod": 1000,
"maxTTL": -1,
"secret": null
},
// [default]
Expand Down
1 change: 1 addition & 0 deletions default.config.js
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ module.exports = {
algorithm: 'HS256',
expiresIn: '1h',
gracePeriod: 1000,
maxTTL: -1,
secret: null
},
default: {
Expand Down
13 changes: 9 additions & 4 deletions lib/api/core/models/repositories/tokenRepository.js
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ const
Token = require('../security/token'),
Repository = require('./repository'),
{
BadRequestError,
InternalError: KuzzleInternalError,
UnauthorizedError
} = require('kuzzle-common-objects').errors;
Expand Down Expand Up @@ -71,12 +72,10 @@ class TokenRepository extends Repository {
/**
* @param {User} user
* @param {Request} request
* @param {object} opts
* @param {object} options
* @returns {*}
*/
generateToken(user, request, opts) {
const options = opts || {};

generateToken(user, request, options = {}) {
if (!user || user._id === null) {
return Bluebird.reject(new KuzzleInternalError('Unknown User : cannot generate token'));
}
Expand All @@ -94,6 +93,12 @@ class TokenRepository extends Repository {
}

const expiresIn = parseTimespan(options.expiresIn);

if (this.kuzzle.config.security.jwt.maxTTL > -1
&& expiresIn > this.kuzzle.config.security.jwt.maxTTL) {
return Bluebird.reject(new BadRequestError('expiresIn value exceeds maximum allowed value'));
}

let encodedToken;

try {
Expand Down
48 changes: 48 additions & 0 deletions test/api/core/models/repositories/tokenRepository.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ const
RequestContext = require('kuzzle-common-objects').models.RequestContext,
TokenRepository = require('../../../../../lib/api/core/models/repositories/tokenRepository'),
{
BadRequestError,
InternalError: KuzzleInternalError,
UnauthorizedError
} = require('kuzzle-common-objects').errors;
Expand Down Expand Up @@ -198,6 +199,53 @@ describe('Test: repositories/tokenRepository', () => {
return should(tokenRepository.generateToken(user, request))
.be.rejectedWith(KuzzleInternalError, {message: 'Unable to generate token for unknown user'});
});

it('should allow a big ttl if no maxTTL is set', () => {
const user = new User();
user._id = 'id';

const request = new Request({}, {
user,
connectionId: 'connectionId'
});

return tokenRepository.generateToken(user, request, {expiresIn: '1000y'})
.then(token => {
should(token).be.an.instanceOf(Token);
});
});

it('should allow a ttl lower than the maxTTL', () => {
const user = new User();
user._id = 'id';

const request = new Request({}, {
user,
connectionId: 'connectionId'
});

kuzzle.config.security.jwt.maxTTL = 42000;

return tokenRepository.generateToken(user, request, {expiresIn: '30s'})
.then(token => {
should(token).be.an.instanceOf(Token);
});
});

it('should reject if the ttl exceeds the maxTTL', () => {
const user = new User();
user._id = 'id';

const request = new Request({}, {
user,
connectionId: 'connectionId'
});

kuzzle.config.security.jwt.maxTTL = 42000;

return should(tokenRepository.generateToken(user, request, {expiresIn: '1m'}))
.be.rejectedWith(BadRequestError, {message: 'expiresIn value exceeds maximum allowed value'});
});
});

describe('#serializeToCache', () => {
Expand Down