Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Support expiry of refresh tokens and expiry of the overall session when refresh tokens are in use. #11425

Merged
merged 26 commits into from
Nov 26, 2021
Merged

Support expiry of refresh tokens and expiry of the overall session when refresh tokens are in use. #11425

Changes from 1 commit
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
a29bf71
Add expiry_ts and ultimate_session_expiry_ts to refresh_tokens table
reivilibre Nov 18, 2021
88e5403
Use expiry_ts and ultimate_session_expiry_ts
reivilibre Nov 18, 2021
d26cf03
Return expiry and ultimate session expiry when looking up refresh tokens
reivilibre Nov 18, 2021
668ff10
Pass in both access and refresh token expiry times to `refresh_token`
reivilibre Nov 18, 2021
ee0310d
Enforce refresh token expiry
reivilibre Nov 18, 2021
21cb0c7
Add refresh_token_lifetime configuration option
reivilibre Nov 18, 2021
7e6d64e
Set up refresh token and ultimate session expiry on initial login
reivilibre Nov 18, 2021
db81406
Bound the lifetime of access and refresh tokens by the ultimate sessi…
reivilibre Nov 19, 2021
df26db6
Set validity correctly on refresh
reivilibre Nov 19, 2021
2ab9500
Some fixes around optional expiry
reivilibre Nov 22, 2021
f6d2e5a
Rename existing test to less confusing name
reivilibre Nov 22, 2021
8c5cb14
Add a test for refresh token expiry
reivilibre Nov 22, 2021
38adfbc
Factorise `use_refresh_token` function
reivilibre Nov 22, 2021
c72a7ed
Remove compatibility error between refresh tokens and session lifetimes
reivilibre Nov 24, 2021
f96c3c0
Add test for ultimate session expiry
reivilibre Nov 25, 2021
5322e1d
Antilint
reivilibre Nov 25, 2021
d83b8fe
Merge branch 'develop' into rei/expirable_refresh_tokens
reivilibre Nov 25, 2021
0d48026
Newsfile
reivilibre Nov 25, 2021
b5bdd97
Fixes falling out of the config option rename in develop
reivilibre Nov 25, 2021
87f5edf
Remove obsolete note and default about compatibility
reivilibre Nov 25, 2021
2e6ed28
Use constants for HTTP statuses in lieu of literals
reivilibre Nov 26, 2021
31d09e4
Document access_token_valid_until_ms
reivilibre Nov 26, 2021
29cee1d
Handle the case (on login) that session lifetime is shorter than toke…
reivilibre Nov 26, 2021
79cec6e
Try to make test_refresh_token_expiry clearer
reivilibre Nov 26, 2021
6b186a9
Check that refreshable access tokens arising from refresh have the co…
reivilibre Nov 26, 2021
430b305
Speak of refreshing the session rather than refreshing the access tok…
reivilibre Nov 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Set up refresh token and ultimate session expiry on initial login
  • Loading branch information
@reivilibre
reivilibre committed Nov 22, 2021
commit 7e6d64ed82578f816338520f4aa5e23c3e7c2878
19 changes: 18 additions & 1 deletion synapse/handlers/register.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,7 @@ def __init__(self, hs: "HomeServer"):

self.session_lifetime = hs.config.registration.session_lifetime
self.access_token_lifetime = hs.config.registration.access_token_lifetime
self.refresh_token_lifetime = hs.config.registration.refresh_token_lifetime

init_counters_for_auth_provider("")

Expand Down Expand Up @@ -810,14 +811,30 @@ class and RegisterDeviceReplicationServlet.
access_token = self.macaroon_gen.generate_guest_access_token(user_id)
else:
if should_issue_refresh_token:
now_ms = self.clock.time_msec()

# Set the refresh token expiry time (if configured)
refresh_token_expiry = None
if self.refresh_token_lifetime is not None:
refresh_token_expiry = now_ms + self.refresh_token_lifetime

# Set an ultimate session expiry time (if configured)
ultimate_session_expiry_ts = None
if self.session_lifetime is not None:
ultimate_session_expiry_ts = now_ms + self.session_lifetime

# Set the expiry time of the refreshable access token
valid_until_ms = now_ms + self.access_token_lifetime
reivilibre marked this conversation as resolved.
Show resolved Hide resolved

(
refresh_token,
refresh_token_id,
) = await self._auth_handler.create_refresh_token_for_user_id(
user_id,
device_id=registered_device_id,
expiry_ts=refresh_token_expiry,
ultimate_session_expiry_ts=ultimate_session_expiry_ts,
)
valid_until_ms = self.clock.time_msec() + self.access_token_lifetime

access_token = await self._auth_handler.create_access_token_for_user_id(
user_id,
Expand Down