|
@@ -22,7 +22,7 @@ func init() {
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
var (
|
|
var (
|
|
|
- now = time.Now
|
|
|
|
|
|
|
+ getTime = time.Now
|
|
|
RotateTime = 30 * time.Second
|
|
RotateTime = 30 * time.Second
|
|
|
UrgentRotateTime = 10 * time.Second
|
|
UrgentRotateTime = 10 * time.Second
|
|
|
oneYearInSeconds = 31557600 //used as default maxage for session cookies. We validate/rotate them more often.
|
|
oneYearInSeconds = 31557600 //used as default maxage for session cookies. We validate/rotate them more often.
|
|
@@ -118,15 +118,17 @@ func (s *UserAuthTokenService) CreateToken(userId int64, clientIP, userAgent str
|
|
|
|
|
|
|
|
hashedToken := hashToken(token)
|
|
hashedToken := hashToken(token)
|
|
|
|
|
|
|
|
|
|
+ now := getTime().Unix()
|
|
|
|
|
+
|
|
|
userToken := models.UserAuthToken{
|
|
userToken := models.UserAuthToken{
|
|
|
UserId: userId,
|
|
UserId: userId,
|
|
|
AuthToken: hashedToken,
|
|
AuthToken: hashedToken,
|
|
|
PrevAuthToken: hashedToken,
|
|
PrevAuthToken: hashedToken,
|
|
|
ClientIp: clientIP,
|
|
ClientIp: clientIP,
|
|
|
UserAgent: userAgent,
|
|
UserAgent: userAgent,
|
|
|
- RotatedAt: now().Unix(),
|
|
|
|
|
- CreatedAt: now().Unix(),
|
|
|
|
|
- UpdatedAt: now().Unix(),
|
|
|
|
|
|
|
+ RotatedAt: now,
|
|
|
|
|
+ CreatedAt: now,
|
|
|
|
|
+ UpdatedAt: now,
|
|
|
SeenAt: 0,
|
|
SeenAt: 0,
|
|
|
AuthTokenSeen: false,
|
|
AuthTokenSeen: false,
|
|
|
}
|
|
}
|
|
@@ -142,7 +144,7 @@ func (s *UserAuthTokenService) CreateToken(userId int64, clientIP, userAgent str
|
|
|
|
|
|
|
|
func (s *UserAuthTokenService) LookupToken(unhashedToken string) (*models.UserAuthToken, error) {
|
|
func (s *UserAuthTokenService) LookupToken(unhashedToken string) (*models.UserAuthToken, error) {
|
|
|
hashedToken := hashToken(unhashedToken)
|
|
hashedToken := hashToken(unhashedToken)
|
|
|
- expireBefore := now().Add(time.Duration(-86400*setting.LogInRememberDays) * time.Second).Unix()
|
|
|
|
|
|
|
+ expireBefore := getTime().Add(time.Duration(-86400*setting.LogInRememberDays) * time.Second).Unix()
|
|
|
|
|
|
|
|
var userToken models.UserAuthToken
|
|
var userToken models.UserAuthToken
|
|
|
exists, err := s.SQLStore.NewSession().Where("(auth_token = ? OR prev_auth_token = ?) AND created_at > ?", hashedToken, hashedToken, expireBefore).Get(&userToken)
|
|
exists, err := s.SQLStore.NewSession().Where("(auth_token = ? OR prev_auth_token = ?) AND created_at > ?", hashedToken, hashedToken, expireBefore).Get(&userToken)
|
|
@@ -157,7 +159,7 @@ func (s *UserAuthTokenService) LookupToken(unhashedToken string) (*models.UserAu
|
|
|
if userToken.AuthToken != hashedToken && userToken.PrevAuthToken == hashedToken && userToken.AuthTokenSeen {
|
|
if userToken.AuthToken != hashedToken && userToken.PrevAuthToken == hashedToken && userToken.AuthTokenSeen {
|
|
|
userTokenCopy := userToken
|
|
userTokenCopy := userToken
|
|
|
userTokenCopy.AuthTokenSeen = false
|
|
userTokenCopy.AuthTokenSeen = false
|
|
|
- expireBefore := now().Add(-UrgentRotateTime).Unix()
|
|
|
|
|
|
|
+ expireBefore := getTime().Add(-UrgentRotateTime).Unix()
|
|
|
affectedRows, err := s.SQLStore.NewSession().Where("id = ? AND prev_auth_token = ? AND rotated_at < ?", userTokenCopy.Id, userTokenCopy.PrevAuthToken, expireBefore).AllCols().Update(&userTokenCopy)
|
|
affectedRows, err := s.SQLStore.NewSession().Where("id = ? AND prev_auth_token = ? AND rotated_at < ?", userTokenCopy.Id, userTokenCopy.PrevAuthToken, expireBefore).AllCols().Update(&userTokenCopy)
|
|
|
if err != nil {
|
|
if err != nil {
|
|
|
return nil, err
|
|
return nil, err
|
|
@@ -173,7 +175,7 @@ func (s *UserAuthTokenService) LookupToken(unhashedToken string) (*models.UserAu
|
|
|
if !userToken.AuthTokenSeen && userToken.AuthToken == hashedToken {
|
|
if !userToken.AuthTokenSeen && userToken.AuthToken == hashedToken {
|
|
|
userTokenCopy := userToken
|
|
userTokenCopy := userToken
|
|
|
userTokenCopy.AuthTokenSeen = true
|
|
userTokenCopy.AuthTokenSeen = true
|
|
|
- userTokenCopy.SeenAt = now().Unix()
|
|
|
|
|
|
|
+ userTokenCopy.SeenAt = getTime().Unix()
|
|
|
affectedRows, err := s.SQLStore.NewSession().Where("id = ? AND auth_token = ?", userTokenCopy.Id, userTokenCopy.AuthToken).AllCols().Update(&userTokenCopy)
|
|
affectedRows, err := s.SQLStore.NewSession().Where("id = ? AND auth_token = ?", userTokenCopy.Id, userTokenCopy.AuthToken).AllCols().Update(&userTokenCopy)
|
|
|
if err != nil {
|
|
if err != nil {
|
|
|
return nil, err
|
|
return nil, err
|
|
@@ -200,19 +202,22 @@ func (s *UserAuthTokenService) RefreshToken(token *models.UserAuthToken, clientI
|
|
|
return false, nil
|
|
return false, nil
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
+ now := getTime()
|
|
|
|
|
+
|
|
|
needsRotation := false
|
|
needsRotation := false
|
|
|
rotatedAt := time.Unix(token.RotatedAt, 0)
|
|
rotatedAt := time.Unix(token.RotatedAt, 0)
|
|
|
if token.AuthTokenSeen {
|
|
if token.AuthTokenSeen {
|
|
|
- needsRotation = rotatedAt.Before(now().Add(-RotateTime))
|
|
|
|
|
|
|
+ needsRotation = rotatedAt.Before(now.Add(-RotateTime))
|
|
|
} else {
|
|
} else {
|
|
|
- needsRotation = rotatedAt.Before(now().Add(-UrgentRotateTime))
|
|
|
|
|
|
|
+ needsRotation = rotatedAt.Before(now.Add(-UrgentRotateTime))
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- s.log.Debug("refresh token", "needs rotation?", needsRotation, "auth_token_seen", token.AuthTokenSeen, "rotated_at", rotatedAt, "token.Id", token.Id)
|
|
|
|
|
if !needsRotation {
|
|
if !needsRotation {
|
|
|
return false, nil
|
|
return false, nil
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
+ s.log.Debug("refresh token needs rotation?", "auth_token_seen", token.AuthTokenSeen, "rotated_at", rotatedAt, "token.Id", token.Id)
|
|
|
|
|
+
|
|
|
clientIP = util.ParseIPAddress(clientIP)
|
|
clientIP = util.ParseIPAddress(clientIP)
|
|
|
newToken, _ := util.RandomHex(16)
|
|
newToken, _ := util.RandomHex(16)
|
|
|
hashedToken := hashToken(newToken)
|
|
hashedToken := hashToken(newToken)
|
|
@@ -229,7 +234,7 @@ func (s *UserAuthTokenService) RefreshToken(token *models.UserAuthToken, clientI
|
|
|
rotated_at = ?
|
|
rotated_at = ?
|
|
|
WHERE id = ? AND (auth_token_seen or rotated_at < ?)`
|
|
WHERE id = ? AND (auth_token_seen or rotated_at < ?)`
|
|
|
|
|
|
|
|
- res, err := s.SQLStore.NewSession().Exec(sql, userAgent, clientIP, hashedToken, now().Unix(), token.Id, now().Add(-UrgentRotateTime))
|
|
|
|
|
|
|
+ res, err := s.SQLStore.NewSession().Exec(sql, userAgent, clientIP, hashedToken, now.Unix(), token.Id, now.Add(-UrgentRotateTime))
|
|
|
if err != nil {
|
|
if err != nil {
|
|
|
return false, err
|
|
return false, err
|
|
|
}
|
|
}
|
bergquist