Skip to content
This repository has been archived by the owner on Aug 26, 2022. It is now read-only.

Commit

Permalink
Renew access token every 12 hours. (#8026)
Browse files Browse the repository at this point in the history
* Renew access token every 12 hours.

* lint

* lint

Co-authored-by: Florian Dieminger <[email protected]>
  • Loading branch information
akatsoulas and fiji-flo authored Jan 12, 2022
1 parent 20857c3 commit 0ab25fb
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 16 deletions.
2 changes: 1 addition & 1 deletion kuma/settings/common.py
Original file line number Diff line number Diff line change
Expand Up @@ -347,7 +347,7 @@ def _get_locales():
"FXA_VERIFY_URL", default="https://oauth.accounts.firefox.com/v1/verify"
)
# Set token re-check time to an hour in seconds
FXA_TOKEN_EXPIRY = config("FXA_TOKEN_EXPIRY", default=3600)
FXA_TOKEN_EXPIRY = config("FXA_TOKEN_EXPIRY", default=43200)
FXA_SET_ISSUER = config("FXA_SET_ISSUER", default="https://accounts.firefox.com")
FXA_SET_ID_PREFIX = config(
"FXA_SET_ID_PREFIX", default="https://schemas.accounts.firefox.com/event/"
Expand Down
27 changes: 27 additions & 0 deletions kuma/users/auth.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import time

import requests
from django.conf import settings
from django.contrib.auth import get_user_model
from mozilla_django_oidc.auth import OIDCAuthenticationBackend
Expand All @@ -20,6 +21,32 @@ def get_token(self, payload):
self.refresh_token = token_info.get("refresh_token")
return token_info

@classmethod
def refresh_access_token(cls, refresh_token, ttl=None):
"""Gets a new access_token by using a refresh_token.
returns: the actual token or an empty dictionary
"""

if not refresh_token:
return {}

obj = cls()
payload = {
"client_id": obj.OIDC_RP_CLIENT_ID,
"client_secret": obj.OIDC_RP_CLIENT_SECRET,
"grant_type": "refresh_token",
"refresh_token": refresh_token,
}

if ttl:
payload.update({"ttl": ttl})

try:
return obj.get_token(payload=payload)
except requests.exceptions.HTTPError:
return {}

def filter_users_by_claims(self, claims):
user_model = get_user_model()

Expand Down
28 changes: 13 additions & 15 deletions kuma/users/middleware.py
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
import time

import requests
from django.conf import settings
from django.contrib.auth import logout
from django.core.exceptions import MiddlewareNotUsed
from mozilla_django_oidc.middleware import SessionRefresh

from kuma.users.auth import KumaOIDCAuthenticationBackend


class ValidateAccessTokenMiddleware(SessionRefresh):
"""Validate the access token every hour.
Expand All @@ -27,23 +28,20 @@ def process_request(self, request):
expiration = request.session.get("oidc_id_token_expiration", 0)
now = time.time()
access_token = request.session.get("oidc_access_token")
profile = request.user.userprofile

if access_token and expiration < now:

response_token_info = (
requests.post(settings.FXA_VERIFY_URL, data={"token": access_token})
).json()

# if the token is not verified, log the user out
if (
response_token_info.get("code") == 400
and response_token_info.get("message") == "Invalid token"
):
profile = request.user.userprofile
profile.fxa_refresh_token = ""
profile.save()
logout(request)
else:
token_info = KumaOIDCAuthenticationBackend.refresh_access_token(
profile.fxa_refresh_token
)
new_access_token = token_info.get("access_token")
if new_access_token:
request.session["oidc_access_token"] = new_access_token
request.session["oidc_id_token_expiration"] = (
now + settings.FXA_TOKEN_EXPIRY
)
else:
profile.fxa_refresh_token = ""
profile.save()
logout(request)

0 comments on commit 0ab25fb

Please sign in to comment.