Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

MSC2918 Refresh tokens implementation #9450

Merged
merged 51 commits into from
Jun 24, 2021
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
fe80ef5
WIP: MSC2918
sandhose Feb 13, 2021
523d8cf
MSC2918: implement refresh tokens
sandhose Feb 19, 2021
358da22
MSC2918: Changelog
sandhose Mar 26, 2021
f53466e
MSC2918: fix mypy and lint errors
sandhose Mar 26, 2021
324d7bf
MSC2918: add PostgreSQL schema
sandhose Mar 26, 2021
450a962
MSC2918: do not invalidate refresh token immediately & fix tests
sandhose Apr 9, 2021
022485e
MSC2918: lint fixes
sandhose Apr 9, 2021
51ba1c3
MSC2918: also delete refresh tokens when logging out
sandhose Apr 22, 2021
d281f7e
MSC2918: fix field name in migrations
sandhose Apr 22, 2021
f499d63
MSC2918: merge SQLite and PostgreSQL schema deltas
sandhose May 5, 2021
e402a07
MSC2918: fix sample config
sandhose May 5, 2021
adc6eab
MSC2918: use parse_boolean to get query parameter value
sandhose May 5, 2021
6963fe0
MSC2918: use attr.s instead of TypedDict
sandhose May 5, 2021
318b74c
MSC2918: remove unused sequence in refresh_tokens
sandhose May 5, 2021
29806b4
MSC2918: try fixing port_db script when a table references itself
sandhose May 5, 2021
72e5c25
MSC2918: lint
sandhose May 5, 2021
eb9f680
Revert "MSC2918: use attr.s instead of TypedDict"
sandhose May 5, 2021
417a34a
MSC2918: random signed token instead of macaroons for refresh tokens
sandhose May 20, 2021
45177a6
MSC2918: some docstrings and minor changes
sandhose May 20, 2021
e37f53a
MSC2918: expires_in -> expires_in_ms
sandhose May 27, 2021
262d1ab
MSC2918: properly figure out whether an access token was already used…
sandhose May 27, 2021
75ce9e5
MSC2918: implement for registration endpoint
sandhose May 27, 2021
6f2cc61
MSC2918: properly replace old-next refresh token
sandhose May 27, 2021
b7b17ed
MSC2918: add tests
sandhose May 27, 2021
c7eab51
MSC2918: use secrets.token_bytes instead of random.randbytes
sandhose May 27, 2021
088e023
MSC2918: mark new column as boolean in port_db
sandhose May 27, 2021
6247228
MSC2918: fix existing auth test
sandhose May 27, 2021
67d4c9e
Merge remote-tracking branch 'upstream/develop' into sandhose/msc2918
sandhose May 28, 2021
2ec853c
MSC2918: use the same pattern as access tokens for refresh tokens
sandhose May 28, 2021
9e7ce1f
MSC2918: lint: remove unused import
sandhose May 28, 2021
45e2eaf
MSC2918: fix typing issue
sandhose May 28, 2021
c20f94a
MSC2918: properly check refresh_token parameter
sandhose May 28, 2021
790baac
MSC2918: cleanup old refresh token generation code
sandhose May 28, 2021
01b0740
MSC2918: add more docstrings
sandhose Jun 3, 2021
797e0d3
MSC2918: change refresh token API error codes
sandhose Jun 3, 2021
8f8f369
MSC2918: disable refresh tokens when session_lifetime is set
sandhose Jun 3, 2021
6024ed8
MSC2918: add missing docstring
sandhose Jun 3, 2021
908c279
MSC2918: temp: mark the access token as used only once
sandhose Jun 3, 2021
cdfd871
MSC2918: explicit cast on access_tokens.used
sandhose Jun 4, 2021
b169a62
Revert "MSC2918: explicit cast on access_tokens.used"
sandhose Jun 4, 2021
e07ef9b
MSC2918: properly fix access_tokens.used column on old SQLite
sandhose Jun 4, 2021
4cf49a6
Merge remote-tracking branch 'upstream/develop' into sandhose/msc2918
sandhose Jun 4, 2021
ef0e051
MSC2918: properly fix "mark_access_token_as_used" by caching it
sandhose Jun 4, 2021
7adfe0c
Merge remote-tracking branch 'upstream/develop' into sandhose/msc2918
sandhose Jun 10, 2021
ab443a3
MSC2918: add comments as suggested by richvdh
sandhose Jun 17, 2021
0060bc9
Merge remote-tracking branch 'upstream/develop' into sandhose/msc2918
sandhose Jun 17, 2021
18628fc
MSC2918: make access_tokens.used nullable
sandhose Jun 18, 2021
bcc33e2
MSC2918: 403 when using a refresh token twice
sandhose Jun 18, 2021
ddfc2a4
MSC2918: clarify comment about access_token_lifetime and session_life…
sandhose Jun 18, 2021
a013064
Merge remote-tracking branch 'upstream/develop' into sandhose/msc2918
sandhose Jun 18, 2021
9fe5556
MSC2918: fix refresh token invalidation test
sandhose Jun 18, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions synapse/config/registration.py
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,11 @@ def read_config(self, config, **kwargs):
session_lifetime = self.parse_duration(session_lifetime)
self.session_lifetime = session_lifetime

# The `access_token_lifetime` applies for tokens that can be renewed
# using a refresh token, as per MSC2918. This behaviour can be disabled
# by setting it to `None` (`null` in the YAML config). Since it is
# incompatible with the `session_lifetime` mechanism, it is set to
# `None` by default if a `session_lifetime` is set.
sandhose marked this conversation as resolved.
Show resolved Hide resolved
access_token_lifetime = config.get(
"access_token_lifetime", "5m" if session_lifetime is None else None
)
Expand Down
2 changes: 1 addition & 1 deletion synapse/handlers/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -1326,7 +1326,7 @@ def generate_access_token(self, for_user: UserID) -> str:
def generate_refresh_token(self, for_user: UserID) -> str:
"""Generates an opaque string, for use as a refresh token"""

# we use the following format for access tokens:
# we use the following format for refresh tokens:
# syr_<base64 local part>_<random string>_<base62 crc check>

b64local = unpaddedbase64.encode_base64(for_user.localpart.encode("utf-8"))
Expand Down
2 changes: 2 additions & 0 deletions synapse/storage/databases/main/registration.py
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ class TokenLookupResult:
token_owner: The "owner" of the token. This is either the same as the
user, or a server admin who is logged in as the user.
token_used: True if this token was used at least once in a request.
richvdh marked this conversation as resolved.
Show resolved Hide resolved
This field can be out of date since `get_user_by_access_token` is
cached.
"""

user_id = attr.ib(type=str)
Expand Down