Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If the blacklist app is enabled mark rotated refresh tokens as outstanding #519

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

If the blacklist app is enabled mark rotated refresh tokens as outstanding #519

wants to merge 2 commits into from

Conversation

vainu-arto
Copy link
Contributor

@vainu-arto vainu-arto commented Jan 26, 2022
edited
Loading

The token blacklisting itself works without this (the OutstandingToken
object will be created when adding a token to the blacklist), but the list
of outstanding tokens would very quickly get out of date in the presence of
refresh token rotation, and be unusable for any other purpose (for example
being able to tell which users have valid outstanding tokens).

Fixes #363 and #25

Andrew-Chen-Wang
Andrew-Chen-Wang requested changes Jan 29, 2022
View reviewed changes
Copy link
Member

@Andrew-Chen-Wang Andrew-Chen-Wang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused what this is trying to do; can you clarify? Are you just abstracting code?

rest_framework_simplejwt/tokens.py

OutstandingToken.objects.create(
user=user,
user_id=self[api_settings.USER_ID_CLAIM],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
user_id=self[api_settings.USER_ID_CLAIM],
user_pk=self[api_settings.USER_ID_CLAIM],

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The point is that TokenRefreshSerializer.validate() (the new caller for this helper) doesn't currently hold a User object. Using just the id here avoids needing to query the database for one.

Another alternative that comes to mind would be just doing RefreshToken.for_user() at refresh instead of the current RefreshToken(attrs["refresh"]) (create a new token from scratch instead of copying the claims from the previous one). That would require the query, though.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The suggested change of user_id to user_pk doesn't pass tests, and I can't find any hint that that syntax would be supported by the Django ORM.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

However after looking at this a bit more, I don't think anything guarantees that api_settings.USER_ID_FIELD == User.id. So perhaps the query at TokenRefreshSerializer.validate() is unavoidable?

@aaronn
Copy link

aaronn commented Jun 8, 2023

Just came across this because I believe I have the same issue. When a token is initially created, it is added to the OutstandingToken table. However, when that same token is refreshed, the new refresh token isn't added to the new OutstandingToken table, causing it to then be rejected when there is an attempt to use it to refresh.

Is that right @vainu-arto?

@vainu-arto
Copy link
Contributor Author

Just came across this because I believe I have the same issue. When a token is initially created, it is added to the OutstandingToken table. However, when that same token is refreshed, the new refresh token isn't added to the new OutstandingToken table, causing it to then be rejected when there is an attempt to use it to refresh.

In my case refreshing tokens succeeds. At least the version of this lib I'm running doesn't require that the token exists in OutstandingToken before allowing it to be refreshed.

vainu-arto and others added 2 commits June 9, 2023 07:46
@vainu-arto
If the token blacklist is enabled mark rotated refresh tokens as outs…
f6b318e 
…tanding

The token blacklisting itself works without this (the OutstandingToken
object will be created when adding a token to the blacklist), but the list
of outstanding tokens would very quickly get out of date in the presence of
refresh token rotation, and be unusable for any other purpose (for example
being able to tell which users have valid outstanding tokens).
@pre-commit-ci @vainu-arto
[pre-commit.ci] auto fixes from pre-commit.com hooks
77ffaca 
for more information, see https://pre-commit.ci
@vainu-arto vainu-arto force-pushed the create-outstanding-token-for-rotated-refresh-token branch from a79b9de to 77ffaca Compare June 9, 2023 04:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Andrew-Chen-Wang Andrew-Chen-Wang Andrew-Chen-Wang requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
needs investigation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OustandingToken only created when refresh token is used to get a new key pair and not at creation ? Bug ?
3 participants
@vainu-arto @aaronn @Andrew-Chen-Wang