Removal of Old Tokens/Codes

[nmohoric]

A client has requested that tokens/codes should no longer be usable if the same client has a newer one for that user, to allow for less possible attack vectors.

Before I begin implementing a solution I thought I would check here to see if:
a) this would be something you would be interested in merging in and, if so,
b) you had any preferences on implementation

I imagine the two possible solutions would be to set the old code/token to have expired long ago, or just delete it outright from the database.

Any feedback/suggestions/questions would be appreciated.

[juanifioren]

Hi @nmohoric

I already thought this topic so I'm interested. Have a few ideas about a possible implementation:

• Having a command cleartokens that remove expired codes/tokens from database.
• Add an action for the admin (read more).

I think deleting from database will be better.

Greetings.

[orzel]

I definitely think that a django command is needed for this, exactly as is already the case for (sessions) "clearsessions".
Actually, it seemed so obvious that I assumed such a command already existed. It's not difficult is it ? Would you merge it i implement it in management/commands/cleartokens.py ?

[orzel]

yes...? No .... ?

[orzel]

# Django
from django.core.management.base import BaseCommand
from django.utils import timezone

# Project
from oidc_provider.models import Token, Code

class Command(BaseCommand):
    help = 'Remove expired entries for Token and Code'

    def handle(self, *args, **options):
        now = timezone.now()
        old_tokens = Token.objects.filter(expires_at__lt=now)
        old_codes = Code.objects.filter(expires_at__lt=now)
        self.stdout.write(u'Removing %d old tokens and %d old codes.' % (
            old_tokens.count(),
            old_codes.count(),
        ))

        # do it
        old_tokens.delete()
        old_codes.delete()

        self.stdout.write(u'It remains %d tokens and %d codes.' % (
            Token.objects.count(),
            Code.objects.count(),
        ))

[juanifioren]

@orzel Hi! yes sorry. This feature is cool. But there is a problem. I want to create stats about token usage in the future. So this will remove those tokens, that are important info.

Example useful stat: Client A had 12k logins with different users in January 2017.