jazzband
diff --git a/Diff for: ‎.github/workflows/test.yml
+3-23 b/Diff for: ‎.github/workflows/test.yml
+3-23
diff --git a/Diff for: ‎.pre-commit-config.yaml
+2-2 b/Diff for: ‎.pre-commit-config.yaml
+2-2
diff --git a/Diff for: ‎AUTHORS
+3 b/Diff for: ‎AUTHORS
+3
diff --git a/Diff for: ‎CHANGELOG.md
+8-1 b/Diff for: ‎CHANGELOG.md
+8-1
diff --git a/Diff for: ‎README.rst
+1-1 b/Diff for: ‎README.rst
+1-1
diff --git a/Diff for: ‎docs/index.rst
+1-1 b/Diff for: ‎docs/index.rst
+1-1
diff --git a/Diff for: ‎docs/settings.rst
+12 b/Diff for: ‎docs/settings.rst
+12
diff --git a/Diff for: ‎oauth2_provider/contrib/rest_framework/authentication.py
+12-3 b/Diff for: ‎oauth2_provider/contrib/rest_framework/authentication.py
+12-3
diff --git a/Diff for: ‎oauth2_provider/middleware.py
+3-1 b/Diff for: ‎oauth2_provider/middleware.py
+3-1
diff --git a/Diff for: ‎oauth2_provider/migrations/0011_refreshtoken_token_family.py
+19 b/Diff for: ‎oauth2_provider/migrations/0011_refreshtoken_token_family.py
+19
diff --git a/Diff for: ‎oauth2_provider/migrations/0012_add_token_checksum.py
+26 b/Diff for: ‎oauth2_provider/migrations/0012_add_token_checksum.py
+26
diff --git a/Diff for: ‎oauth2_provider/models.py
+14-2 b/Diff for: ‎oauth2_provider/models.py
+14-2
diff --git a/Diff for: ‎oauth2_provider/oauth2_validators.py
+31-13 b/Diff for: ‎oauth2_provider/oauth2_validators.py
+31-13
diff --git a/Diff for: ‎oauth2_provider/settings.py
+1 b/Diff for: ‎oauth2_provider/settings.py
+1
@@ -10,39 +10,19 @@ jobs:
       fail-fast: false
       matrix:
         python-version:
-        - '3.8'
-        - '3.9'
         - '3.10'
         - '3.11'
         - '3.12'
         django-version:
-        - '3.2'
-        - '4.0'
-        - '4.1'
         - '4.2'
         - '5.0'
+        - '5.1'
         - 'main'
-        exclude:
+        include:
           # https://docs.djangoproject.com/en/dev/faq/install/#what-python-version-can-i-use-with-django
-
-          # < Python 3.10 is not supported by Django 5.0+
-          - python-version: '3.8'
-            django-version: '5.0'
-          - python-version: '3.9'
-            django-version: '5.0'
           - python-version: '3.8'
-            django-version: 'main'
+            django-version: '4.2'
           - python-version: '3.9'
-            django-version: 'main'
-
-          # Python 3.12 is not supported by Django < 5.0
-          - python-version: '3.12'
-            django-version: '3.2'
-          - python-version: '3.12'
-            django-version: '4.0'
-          - python-version: '3.12'
-            django-version: '4.1'
-          - python-version: '3.12'
             django-version: '4.2'
 
     steps:
 
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 24.4.2
+    rev: 24.8.0
     hooks:
       - id: black
         exclude: ^(oauth2_provider/migrations/|tests/migrations/)
@@ -21,7 +21,7 @@ repos:
       - id: isort
         exclude: ^(oauth2_provider/migrations/|tests/migrations/)
   - repo: https://github.com/PyCQA/flake8
-    rev: 7.1.0
+    rev: 7.1.1
     hooks:
       - id: flake8
         exclude: ^(oauth2_provider/migrations/|tests/migrations/)
 
@@ -51,6 +51,7 @@ Dylan Tack
 Eduardo Oliveira
 Egor Poderiagin
 Emanuele Palazzetti
+Fazeel Ghafoor
 Federico Dolce
 Florian Demmer
 Frederico Vieira
@@ -83,6 +84,7 @@ Kristian Rune Larsen
 Lazaros Toumanidis
 Ludwig Hähne
 Łukasz Skarżyński
+Madison Swain-Bowden
 Marcus Sonestedt
 Matias Seniquiel
 Michael Howitz
@@ -105,6 +107,7 @@ Shaun Stanworth
 Sayyid Hamid Mahdavi
 Silvano Cerza
 Sora Yanai
+Sören Wegener
 Spencer Carroll
 Stéphane Raimbault
 Tom Evans
 
@@ -16,13 +16,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 ### Added
+* Add migration to include `token_checksum` field in AbstractAccessToken model.
+* #1404 Add a new setting `REFRESH_TOKEN_REUSE_PROTECTION`
 ### Changed
+* Update token to TextField from CharField with 255 character limit and SHA-256 checksum in AbstractAccessToken model. Removing the 255 character limit enables supporting JWT tokens with additional claims
+* Update middleware, validators, and views to use token checksums instead of token for token retrieval and validation.
+* #1446 use generic models pk instead of id.
+
 ### Deprecated
 ### Removed
 * #1425 Remove deprecated `RedirectURIValidator`, `WildcardSet` per #1345; `validate_logout_request` per #1274
+* Remove support for Django versions below 4.2
 
 ### Fixed
-* now all part of code use pk instead of id for models.
+* #1443 Query strings with invalid hex values now raise a SuspiciousOperation exception (in DRF extension) instead of raising a 500 ValueError: Invalid hex encoding in query string.
 ### Security
 
 ## [2.4.0] - 2024-05-13
 
@@ -44,7 +44,7 @@ Requirements
 ------------
 
 * Python 3.8+
-* Django 3.2, 4.0 (4.0.1+ due to a regression), 4.1, 4.2, or 5.0
+* Django 4.2, 5.0 or 5.1
 * oauthlib 3.1+
 
 Installation
 
@@ -22,7 +22,7 @@ Requirements
 ------------
 
 * Python 3.8+
-* Django 3.2, 4.0 (4.0.1+ due to a regression), 4.1, 4.2, or 5.0
+* Django 4.2, 5.0 or 5.1
 * oauthlib 3.1+
 
 Index
 
@@ -185,6 +185,18 @@ The import string of the class (model) representing your refresh tokens. Overwri
 this value if you wrote your own implementation (subclass of
 ``oauth2_provider.models.RefreshToken``).
 
+REFRESH_TOKEN_REUSE_PROTECTION
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+When this is set to ``True`` (default ``False``), and ``ROTATE_REFRESH_TOKEN`` is used, the server will check
+if a previously, already revoked refresh token is used a second time. If it detects a reuse, it will automatically
+revoke all related refresh tokens.
+A reused refresh token indicates a breach. Since the server can't determine which request came from the legitimate
+user and which from an attacker, it will end the session for both. The user is required to perform a new login.
+
+Can be used in combination with ``REFRESH_TOKEN_GRACE_PERIOD_SECONDS``
+
+More details at https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-29#name-recommendations
+
 ROTATE_REFRESH_TOKEN
 ~~~~~~~~~~~~~~~~~~~~
 When is set to ``True`` (default) a new refresh token is issued to the client when the client refreshes an access token.
 
@@ -1,5 +1,6 @@
 from collections import OrderedDict
 
+from django.core.exceptions import SuspiciousOperation
 from rest_framework.authentication import BaseAuthentication
 
 from ...oauth2_backends import get_oauthlib_core
@@ -23,10 +24,18 @@ def authenticate(self, request):
         Returns two-tuple of (user, token) if authentication succeeds,
         or None otherwise.
         """
+        if request is None:
+            return None
         oauthlib_core = get_oauthlib_core()
-        valid, r = oauthlib_core.verify_request(request, scopes=[])
-        if valid:
-            return r.user, r.access_token
+        try:
+            valid, r = oauthlib_core.verify_request(request, scopes=[])
+        except ValueError as error:
+            if str(error) == "Invalid hex encoding in query string.":
+                raise SuspiciousOperation(error)
+            raise
+        else:
+            if valid:
+                return r.user, r.access_token
         request.oauth2_error = getattr(r, "oauth2_error", {})
         return None
 
 
@@ -1,3 +1,4 @@
+import hashlib
 import logging
 
 from django.contrib.auth import authenticate
@@ -55,7 +56,8 @@ def __call__(self, request):
             tokenstring = authheader.split()[1]
             AccessToken = get_access_token_model()
             try:
-                token = AccessToken.objects.get(token=tokenstring)
+                token_checksum = hashlib.sha256(tokenstring.encode("utf-8")).hexdigest()
+                token = AccessToken.objects.get(token_checksum=token_checksum)
                 request.access_token = token
             except AccessToken.DoesNotExist as e:
                 log.exception(e)
 
@@ -0,0 +1,19 @@
+# Generated by Django 5.2 on 2024-08-09 16:40
+
+from django.db import migrations, models
+from oauth2_provider.settings import oauth2_settings
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('oauth2_provider', '0010_application_allowed_origins'),
+        migrations.swappable_dependency(oauth2_settings.REFRESH_TOKEN_MODEL)
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='refreshtoken',
+            name='token_family',
+            field=models.UUIDField(blank=True, editable=False, null=True),
+        ),
+    ]
@@ -0,0 +1,26 @@
+# Generated by Django 5.0.7 on 2024-07-29 23:13
+
+import oauth2_provider.models
+from django.db import migrations, models
+from oauth2_provider.settings import oauth2_settings
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("oauth2_provider", "0011_refreshtoken_token_family"),
+        migrations.swappable_dependency(oauth2_settings.ACCESS_TOKEN_MODEL),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="accesstoken",
+            name="token_checksum",
+            field=oauth2_provider.models.TokenChecksumField(
+                blank=True, db_index=True, max_length=64, unique=True
+            ),
+        ),
+        migrations.AlterField(
+            model_name="accesstoken",
+            name="token",
+            field=models.TextField(),
+        ),
+    ]
@@ -1,3 +1,4 @@
+import hashlib
 import logging
 import time
 import uuid
@@ -44,6 +45,14 @@ def pre_save(self, model_instance, add):
         return super().pre_save(model_instance, add)
 
 
+class TokenChecksumField(models.CharField):
+    def pre_save(self, model_instance, add):
+        token = getattr(model_instance, "token")
+        checksum = hashlib.sha256(token.encode("utf-8")).hexdigest()
+        setattr(model_instance, self.attname, checksum)
+        return super().pre_save(model_instance, add)
+
+
 class AbstractApplication(models.Model):
     """
     An Application instance represents a Client on the Authorization server.
@@ -380,8 +389,10 @@ class AbstractAccessToken(models.Model):
         null=True,
         related_name="refreshed_access_token",
     )
-    token = models.CharField(
-        max_length=255,
+    token = models.TextField()
+    token_checksum = TokenChecksumField(
+        max_length=64,
+        blank=True,
         unique=True,
         db_index=True,
     )
@@ -491,6 +502,7 @@ class AbstractRefreshToken(models.Model):
         null=True,
         related_name="refresh_token",
     )
+    token_family = models.UUIDField(null=True, blank=True, editable=False)
 
     created = models.DateTimeField(auto_now_add=True)
     updated = models.DateTimeField(auto_now=True)
 
@@ -1,5 +1,6 @@
 import base64
 import binascii
+import hashlib
 import http.client
 import inspect
 import json
@@ -15,7 +16,6 @@
 from django.contrib.auth.hashers import check_password, identify_hasher
 from django.core.exceptions import ObjectDoesNotExist
 from django.db import transaction
-from django.db.models import Q
 from django.http import HttpRequest
 from django.utils import dateformat, timezone
 from django.utils.crypto import constant_time_compare
@@ -462,7 +462,12 @@ def validate_bearer_token(self, token, scopes, request):
             return False
 
     def _load_access_token(self, token):
-        return AccessToken.objects.select_related("application", "user").filter(token=token).first()
+        token_checksum = hashlib.sha256(token.encode("utf-8")).hexdigest()
+        return (
+            AccessToken.objects.select_related("application", "user")
+            .filter(token_checksum=token_checksum)
+            .first()
+        )
 
     def validate_code(self, client_id, code, client, request, *args, **kwargs):
         try:
@@ -644,7 +649,9 @@ def save_bearer_token(self, token, request, *args, **kwargs):
                         source_refresh_token=refresh_token_instance,
                     )
 
-                    self._create_refresh_token(request, refresh_token_code, access_token)
+                    self._create_refresh_token(
+                        request, refresh_token_code, access_token, refresh_token_instance
+                    )
                 else:
                     # make sure that the token data we're returning matches
                     # the existing token
@@ -688,9 +695,17 @@ def _create_authorization_code(self, request, code, expires=None):
             claims=json.dumps(request.claims or {}),
         )
 
-    def _create_refresh_token(self, request, refresh_token_code, access_token):
+    def _create_refresh_token(self, request, refresh_token_code, access_token, previous_refresh_token):
+        if previous_refresh_token:
+            token_family = previous_refresh_token.token_family
+        else:
+            token_family = uuid.uuid4()
         return RefreshToken.objects.create(
-            user=request.user, token=refresh_token_code, application=request.client, access_token=access_token
+            user=request.user,
+            token=refresh_token_code,
+            application=request.client,
+            access_token=access_token,
+            token_family=token_family,
         )
 
     def revoke_token(self, token, token_type_hint, request, *args, **kwargs):
@@ -752,22 +767,25 @@ def validate_refresh_token(self, refresh_token, client, request, *args, **kwargs
         Also attach User instance to the request object
         """
 
-        null_or_recent = Q(revoked__isnull=True) | Q(
-            revoked__gt=timezone.now() - timedelta(seconds=oauth2_settings.REFRESH_TOKEN_GRACE_PERIOD_SECONDS)
-        )
-        rt = (
-            RefreshToken.objects.filter(null_or_recent, token=refresh_token)
-            .select_related("access_token")
-            .first()
-        )
+        rt = RefreshToken.objects.filter(token=refresh_token).select_related("access_token").first()
 
         if not rt:
             return False
 
+        if rt.revoked is not None and rt.revoked <= timezone.now() - timedelta(
+            seconds=oauth2_settings.REFRESH_TOKEN_GRACE_PERIOD_SECONDS
+        ):
+            if oauth2_settings.REFRESH_TOKEN_REUSE_PROTECTION and rt.token_family:
+                rt_token_family = RefreshToken.objects.filter(token_family=rt.token_family)
+                for related_rt in rt_token_family.all():
+                    related_rt.revoke()
+            return False
+
         request.user = rt.user
         request.refresh_token = rt.token
         # Temporary store RefreshToken instance to be reused by get_original_scopes and save_bearer_token.
         request.refresh_token_instance = rt
+
         return rt.application == client
 
     @transaction.atomic
 
@@ -54,6 +54,7 @@
     "ID_TOKEN_EXPIRE_SECONDS": 36000,
     "REFRESH_TOKEN_EXPIRE_SECONDS": None,
     "REFRESH_TOKEN_GRACE_PERIOD_SECONDS": 0,
+    "REFRESH_TOKEN_REUSE_PROTECTION": False,
     "ROTATE_REFRESH_TOKEN": True,
     "ERROR_RESPONSE_WITH_SCOPES": False,
     "APPLICATION_MODEL": APPLICATION_MODEL,