TheAnachronism/docspell
1
0
Fork 0
mirror of https://github.com/TheAnachronism/docspell.git synced 2025-04-05 02:49:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow an auth token to carry a specific validity

Browse Source
This commit is contained in:
eikek 2022-04-29 21:02:17 +02:00
parent 8551f81a5c
commit 0d8666491a
2 changed files with 39 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
modules/backend/src/main/scala/docspell/backend/auth/AuthToken.scala
View File

@ -20,11 +20,17 @@ case class AuthToken(
nowMillis: Long, nowMillis: Long,
account: AccountId, account: AccountId,
requireSecondFactor: Boolean, requireSecondFactor: Boolean,
valid: Option[Duration],
salt: String, salt: String,
sig: String sig: String
) { ) {
def asString = def asString =
s"$nowMillis-${TokenUtil.b64enc(account.asString)}-$requireSecondFactor-$salt-$sig" valid match {
case Some(v) =>
s"$nowMillis-${TokenUtil.b64enc(account.asString)}-$requireSecondFactor-${v.seconds}-$salt-$sig"
case None =>
s"$nowMillis-${TokenUtil.b64enc(account.asString)}-$requireSecondFactor-$salt-$sig"
}
def sigValid(key: ByteVector): Boolean = { def sigValid(key: ByteVector): Boolean = {
val newSig = TokenUtil.sign(this, key) val newSig = TokenUtil.sign(this, key)
@ -36,7 +42,10 @@ case class AuthToken(
def notExpired(validity: Duration): Boolean = def notExpired(validity: Duration): Boolean =
!isExpired(validity) !isExpired(validity)
def isExpired(validity: Duration): Boolean = { def isExpired(defaultValidity: Duration): Boolean = {
val validity = valid
.filter(_.millis > 0)
.getOrElse(defaultValidity)
val ends = Instant.ofEpochMilli(nowMillis).plusMillis(validity.millis) val ends = Instant.ofEpochMilli(nowMillis).plusMillis(validity.millis)
Instant.now.isAfter(ends) Instant.now.isAfter(ends)
} }
@ -49,14 +58,26 @@ case class AuthToken(
object AuthToken { object AuthToken {
def fromString(s: String): Either[String, AuthToken] = def fromString(s: String): Either[String, AuthToken] =
s.split("\\-", 5) match { s.split("\\-", 6) match {
case Array(ms, as, fa, vs, salt, sig) =>
for {
millis <- TokenUtil.asInt(ms).toRight("Cannot read authenticator data")
acc <- TokenUtil.b64dec(as).toRight("Cannot read authenticator data")
accId <- AccountId.parse(acc)
twofac <- Right[String, Boolean](java.lang.Boolean.parseBoolean(fa))
valid <- TokenUtil
.asInt(vs)
.toRight("Cannot read authenticator data")
.map(Duration.seconds)
} yield AuthToken(millis, accId, twofac, Some(valid), salt, sig)
case Array(ms, as, fa, salt, sig) => case Array(ms, as, fa, salt, sig) =>
for { for {
millis <- TokenUtil.asInt(ms).toRight("Cannot read authenticator data") millis <- TokenUtil.asInt(ms).toRight("Cannot read authenticator data")
acc <- TokenUtil.b64dec(as).toRight("Cannot read authenticator data") acc <- TokenUtil.b64dec(as).toRight("Cannot read authenticator data")
accId <- AccountId.parse(acc) accId <- AccountId.parse(acc)
twofac <- Right[String, Boolean](java.lang.Boolean.parseBoolean(fa)) twofac <- Right[String, Boolean](java.lang.Boolean.parseBoolean(fa))
} yield AuthToken(millis, accId, twofac, salt, sig) } yield AuthToken(millis, accId, twofac, None, salt, sig)
case _ => case _ =>
Left("Invalid authenticator") Left("Invalid authenticator")
@ -65,12 +86,13 @@ object AuthToken {
def user[F[_]: Sync]( def user[F[_]: Sync](
accountId: AccountId, accountId: AccountId,
requireSecondFactor: Boolean, requireSecondFactor: Boolean,
key: ByteVector key: ByteVector,
valid: Option[Duration]
): F[AuthToken] = ): F[AuthToken] =
for { for {
salt <- Common.genSaltString[F] salt <- Common.genSaltString[F]
millis = Instant.now.toEpochMilli millis = Instant.now.toEpochMilli
cd = AuthToken(millis, accountId, requireSecondFactor, salt, "") cd = AuthToken(millis, accountId, requireSecondFactor, valid, salt, "")
sig = TokenUtil.sign(cd, key) sig = TokenUtil.sign(cd, key)
} yield cd.copy(sig = sig) } yield cd.copy(sig = sig)
@ -78,7 +100,14 @@ object AuthToken {
for { for {
now <- Timestamp.current[F] now <- Timestamp.current[F]
salt <- Common.genSaltString[F] salt <- Common.genSaltString[F]
data = AuthToken(now.toMillis, token.account, token.requireSecondFactor, salt, "") data = AuthToken(
now.toMillis,
token.account,
token.requireSecondFactor,
token.valid,
salt,
""
)
sig = TokenUtil.sign(data, key) sig = TokenUtil.sign(data, key)
} yield data.copy(sig = sig) } yield data.copy(sig = sig)
} }

6
modules/backend/src/main/scala/docspell/backend/auth/Login.scala
View File

@ -135,7 +135,7 @@ object Login {
val okResult: F[Result] = val okResult: F[Result] =
for { for {
_ <- store.transact(RUser.updateLogin(sf.token.account)) _ <- store.transact(RUser.updateLogin(sf.token.account))
newToken <- AuthToken.user(sf.token.account, false, config.serverSecret) newToken <- AuthToken.user(sf.token.account, false, config.serverSecret, None)
rem <- OptionT rem <- OptionT
.whenF(sf.rememberMe && config.rememberMe.enabled)( .whenF(sf.rememberMe && config.rememberMe.enabled)(
insertRememberToken(store, sf.token.account, config) insertRememberToken(store, sf.token.account, config)
@ -178,7 +178,7 @@ object Login {
def okResult(acc: AccountId) = def okResult(acc: AccountId) =
for { for {
_ <- store.transact(RUser.updateLogin(acc)) _ <- store.transact(RUser.updateLogin(acc))
token <- AuthToken.user(acc, false, config.serverSecret) token <- AuthToken.user(acc, false, config.serverSecret, None)
} yield Result.ok(token, None) } yield Result.ok(token, None)
def doLogin(rid: Ident) = def doLogin(rid: Ident) =
@ -253,7 +253,7 @@ object Login {
_ <- _ <-
if (require2FA) ().pure[F] if (require2FA) ().pure[F]
else store.transact(RUser.updateLogin(acc)) else store.transact(RUser.updateLogin(acc))
token <- AuthToken.user(acc, require2FA, config.serverSecret) token <- AuthToken.user(acc, require2FA, config.serverSecret, None)
rem <- OptionT rem <- OptionT
.whenF(!require2FA && rememberMe && config.rememberMe.enabled)( .whenF(!require2FA && rememberMe && config.rememberMe.enabled)(
insertRememberToken(store, acc, config) insertRememberToken(store, acc, config)