Merge branch 'master' into BUGFIX/models-pk-instead-of-models-id

Author: n2ygk

.github/workflows/test.yml

@@ -10,39 +10,19 @@ jobs:
       fail-fast: false
       matrix:
         python-version:
-        - '3.8'
-        - '3.9'
         - '3.10'
         - '3.11'
         - '3.12'
         django-version:
-        - '3.2'
-        - '4.0'
-        - '4.1'
         - '4.2'
         - '5.0'
+        - '5.1'
         - 'main'
-        exclude:
+        include:
           # https://docs.djangoproject.com/en/dev/faq/install/#what-python-version-can-i-use-with-django
-
-          # < Python 3.10 is not supported by Django 5.0+
-          - python-version: '3.8'
-            django-version: '5.0'
-          - python-version: '3.9'
-            django-version: '5.0'
           - python-version: '3.8'
-            django-version: 'main'
+            django-version: '4.2'
           - python-version: '3.9'
-            django-version: 'main'
-
-          # Python 3.12 is not supported by Django < 5.0
-          - python-version: '3.12'
-            django-version: '3.2'
-          - python-version: '3.12'
-            django-version: '4.0'
-          - python-version: '3.12'
-            django-version: '4.1'
-          - python-version: '3.12'
             django-version: '4.2'
 
     steps:

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 24.4.2
+    rev: 24.8.0
     hooks:
       - id: black
         exclude: ^(oauth2_provider/migrations/|tests/migrations/)
@@ -21,7 +21,7 @@ repos:
       - id: isort
         exclude: ^(oauth2_provider/migrations/|tests/migrations/)
   - repo: https://github.com/PyCQA/flake8
-    rev: 7.1.0
+    rev: 7.1.1
     hooks:
       - id: flake8
         exclude: ^(oauth2_provider/migrations/|tests/migrations/)

AUTHORS

@@ -51,6 +51,7 @@ Dylan Tack
 Eduardo Oliveira
 Egor Poderiagin
 Emanuele Palazzetti
+Fazeel Ghafoor
 Federico Dolce
 Florian Demmer
 Frederico Vieira
@@ -83,6 +84,7 @@ Kristian Rune Larsen
 Lazaros Toumanidis
 Ludwig Hähne
 Łukasz Skarżyński
+Madison Swain-Bowden
 Marcus Sonestedt
 Matias Seniquiel
 Michael Howitz
@@ -105,6 +107,7 @@ Shaun Stanworth
 Sayyid Hamid Mahdavi
 Silvano Cerza
 Sora Yanai
+Sören Wegener
 Spencer Carroll
 Stéphane Raimbault
 Tom Evans

CHANGELOG.md

@@ -16,13 +16,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 ### Added
+* Add migration to include `token_checksum` field in AbstractAccessToken model.
+* #1404 Add a new setting `REFRESH_TOKEN_REUSE_PROTECTION`
 ### Changed
+* Update token to TextField from CharField with 255 character limit and SHA-256 checksum in AbstractAccessToken model. Removing the 255 character limit enables supporting JWT tokens with additional claims
+* Update middleware, validators, and views to use token checksums instead of token for token retrieval and validation.
+* #1446 use generic models pk instead of id.
+
 ### Deprecated
 ### Removed
 * #1425 Remove deprecated `RedirectURIValidator`, `WildcardSet` per #1345; `validate_logout_request` per #1274
+* Remove support for Django versions below 4.2
 
 ### Fixed
-* now all part of code use pk instead of id for models.
+* #1443 Query strings with invalid hex values now raise a SuspiciousOperation exception (in DRF extension) instead of raising a 500 ValueError: Invalid hex encoding in query string.
 ### Security
 
 ## [2.4.0] - 2024-05-13

README.rst

@@ -44,7 +44,7 @@ Requirements
 ------------
 
 * Python 3.8+
-* Django 3.2, 4.0 (4.0.1+ due to a regression), 4.1, 4.2, or 5.0
+* Django 4.2, 5.0 or 5.1
 * oauthlib 3.1+
 
 Installation

docs/index.rst

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 * Python 3.8+
-* Django 3.2, 4.0 (4.0.1+ due to a regression), 4.1, 4.2, or 5.0
+* Django 4.2, 5.0 or 5.1
 * oauthlib 3.1+
 
 Index

docs/settings.rst

@@ -185,6 +185,18 @@ The import string of the class (model) representing your refresh tokens. Overwri
 this value if you wrote your own implementation (subclass of
 ``oauth2_provider.models.RefreshToken``).
 
+REFRESH_TOKEN_REUSE_PROTECTION
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+When this is set to ``True`` (default ``False``), and ``ROTATE_REFRESH_TOKEN`` is used, the server will check
+if a previously, already revoked refresh token is used a second time. If it detects a reuse, it will automatically
+revoke all related refresh tokens.
+A reused refresh token indicates a breach. Since the server can't determine which request came from the legitimate
+user and which from an attacker, it will end the session for both. The user is required to perform a new login.
+
+Can be used in combination with ``REFRESH_TOKEN_GRACE_PERIOD_SECONDS``
+
+More details at https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-29#name-recommendations
+
 ROTATE_REFRESH_TOKEN
 ~~~~~~~~~~~~~~~~~~~~
 When is set to ``True`` (default) a new refresh token is issued to the client when the client refreshes an access token.

oauth2_provider/contrib/rest_framework/authentication.py

@@ -1,5 +1,6 @@
 from collections import OrderedDict
 
+from django.core.exceptions import SuspiciousOperation
 from rest_framework.authentication import BaseAuthentication
 
 from ...oauth2_backends import get_oauthlib_core
@@ -23,10 +24,18 @@ def authenticate(self, request):
         Returns two-tuple of (user, token) if authentication succeeds,
         or None otherwise.
         """
+        if request is None:
+            return None
         oauthlib_core = get_oauthlib_core()
-        valid, r = oauthlib_core.verify_request(request, scopes=[])
-        if valid:
-            return r.user, r.access_token
+        try:
+            valid, r = oauthlib_core.verify_request(request, scopes=[])
+        except ValueError as error:
+            if str(error) == "Invalid hex encoding in query string.":
+                raise SuspiciousOperation(error)
+            raise
+        else:
+            if valid:
+                return r.user, r.access_token
         request.oauth2_error = getattr(r, "oauth2_error", {})
         return None
 

oauth2_provider/middleware.py

@@ -1,3 +1,4 @@
+import hashlib
 import logging
 
 from django.contrib.auth import authenticate
@@ -55,7 +56,8 @@ def __call__(self, request):
             tokenstring = authheader.split()[1]
             AccessToken = get_access_token_model()
             try:
-                token = AccessToken.objects.get(token=tokenstring)
+                token_checksum = hashlib.sha256(tokenstring.encode("utf-8")).hexdigest()
+                token = AccessToken.objects.get(token_checksum=token_checksum)
                 request.access_token = token
             except AccessToken.DoesNotExist as e:
                 log.exception(e)

oauth2_provider/migrations/0011_refreshtoken_token_family.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.2 on 2024-08-09 16:40
+
+from django.db import migrations, models
+from oauth2_provider.settings import oauth2_settings
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('oauth2_provider', '0010_application_allowed_origins'),
+        migrations.swappable_dependency(oauth2_settings.REFRESH_TOKEN_MODEL)
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='refreshtoken',
+            name='token_family',
+            field=models.UUIDField(blank=True, editable=False, null=True),
+        ),
+    ]