grafana/pkg/models/usertoken/user_token.go

package usertoken

import (
	"errors"
	"fmt"
	"time"
)

var ErrInvalidSessionToken = errors.New("invalid session token")

type TokenRevokedError struct {
	UserID                int64
	TokenID               int64
	MaxConcurrentSessions int64
}

func (e *TokenRevokedError) Error() string {
	return fmt.Sprintf("%s: user token revoked", ErrInvalidSessionToken)
}

func (e *TokenRevokedError) Unwrap() error { return ErrInvalidSessionToken }

// UserToken represents a user token
type UserToken struct {
	Id            int64
	UserId        int64
	AuthToken     string
	PrevAuthToken string
	UserAgent     string
	ClientIp      string
	AuthTokenSeen bool
	SeenAt        int64
	RotatedAt     int64
	CreatedAt     int64
	UpdatedAt     int64
	RevokedAt     int64
	UnhashedToken string
}

const UrgentRotateTime = 1 * time.Minute

func (t *UserToken) NeedsRotation(rotationInterval time.Duration) bool {
	rotatedAt := time.Unix(t.RotatedAt, 0)
	if !t.AuthTokenSeen {
		return rotatedAt.Before(time.Now().Add(-UrgentRotateTime))
	}

	return rotatedAt.Before(time.Now().Add(-rotationInterval))
}

const rotationLeeway = 5 * time.Second

func (t *UserToken) NextRotation(rotationInterval time.Duration) time.Time {
	rotatedAt := time.Unix(t.RotatedAt, 0)
	return rotatedAt.Add(rotationInterval - rotationLeeway)
}
Auth: Refactor auth package (#58920) * Auth: move interface to its own file * Auth: move to test package * Auth: move quota consts to auth file * Auth: move service to impl package * Auth: move interfaces and related models to auth package * Auth: Create sub package and type alias to avoid circular dependency 2022-11-18 02:56:06 -06:00			`package usertoken`

Sessions: Remove invalid session cookie if it's invalid/expired/missing (#59556) only remove invalid session cookie if it's invalid/expired/missing 2022-11-30 08:33:19 -06:00			`import (`
			`"errors"`
			`"fmt"`
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-03-23 08:39:04 -05:00			`"time"`
Sessions: Remove invalid session cookie if it's invalid/expired/missing (#59556) only remove invalid session cookie if it's invalid/expired/missing 2022-11-30 08:33:19 -06:00			`)`

			`var ErrInvalidSessionToken = errors.New("invalid session token")`

Auth: Refactor auth package (#58920) * Auth: move interface to its own file * Auth: move to test package * Auth: move quota consts to auth file * Auth: move service to impl package * Auth: move interfaces and related models to auth package * Auth: Create sub package and type alias to avoid circular dependency 2022-11-18 02:56:06 -06:00			`type TokenRevokedError struct {`
			`UserID int64`
			`TokenID int64`
			`MaxConcurrentSessions int64`
			`}`

Sessions: Remove invalid session cookie if it's invalid/expired/missing (#59556) only remove invalid session cookie if it's invalid/expired/missing 2022-11-30 08:33:19 -06:00			`func (e *TokenRevokedError) Error() string {`
			`return fmt.Sprintf("%s: user token revoked", ErrInvalidSessionToken)`
			`}`

			`func (e *TokenRevokedError) Unwrap() error { return ErrInvalidSessionToken }`
Auth: Refactor auth package (#58920) * Auth: move interface to its own file * Auth: move to test package * Auth: move quota consts to auth file * Auth: move service to impl package * Auth: move interfaces and related models to auth package * Auth: Create sub package and type alias to avoid circular dependency 2022-11-18 02:56:06 -06:00
			`// UserToken represents a user token`
			`type UserToken struct {`
			`Id int64`
			`UserId int64`
			`AuthToken string`
			`PrevAuthToken string`
			`UserAgent string`
			`ClientIp string`
			`AuthTokenSeen bool`
			`SeenAt int64`
			`RotatedAt int64`
			`CreatedAt int64`
			`UpdatedAt int64`
			`RevokedAt int64`
			`UnhashedToken string`
			`}`
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-03-23 08:39:04 -05:00
			`const UrgentRotateTime = 1 * time.Minute`

			`func (t *UserToken) NeedsRotation(rotationInterval time.Duration) bool {`
			`rotatedAt := time.Unix(t.RotatedAt, 0)`
			`if !t.AuthTokenSeen {`
			`return rotatedAt.Before(time.Now().Add(-UrgentRotateTime))`
			`}`

			`return rotatedAt.Before(time.Now().Add(-rotationInterval))`
			`}`

			`const rotationLeeway = 5 * time.Second`

			`func (t *UserToken) NextRotation(rotationInterval time.Duration) time.Time {`
			`rotatedAt := time.Unix(t.RotatedAt, 0)`
			`return rotatedAt.Add(rotationInterval - rotationLeeway)`
			`}`