mirror of
https://github.com/grafana/grafana.git
synced 2025-01-27 16:57:14 -06:00
382b24742a
* FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
57 lines
1.3 KiB
Go
57 lines
1.3 KiB
Go
package usertoken
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
)
|
|
|
|
var ErrInvalidSessionToken = errors.New("invalid session token")
|
|
|
|
type TokenRevokedError struct {
|
|
UserID int64
|
|
TokenID int64
|
|
MaxConcurrentSessions int64
|
|
}
|
|
|
|
func (e *TokenRevokedError) Error() string {
|
|
return fmt.Sprintf("%s: user token revoked", ErrInvalidSessionToken)
|
|
}
|
|
|
|
func (e *TokenRevokedError) Unwrap() error { return ErrInvalidSessionToken }
|
|
|
|
// UserToken represents a user token
|
|
type UserToken struct {
|
|
Id int64
|
|
UserId int64
|
|
AuthToken string
|
|
PrevAuthToken string
|
|
UserAgent string
|
|
ClientIp string
|
|
AuthTokenSeen bool
|
|
SeenAt int64
|
|
RotatedAt int64
|
|
CreatedAt int64
|
|
UpdatedAt int64
|
|
RevokedAt int64
|
|
UnhashedToken string
|
|
}
|
|
|
|
const UrgentRotateTime = 1 * time.Minute
|
|
|
|
func (t *UserToken) NeedsRotation(rotationInterval time.Duration) bool {
|
|
rotatedAt := time.Unix(t.RotatedAt, 0)
|
|
if !t.AuthTokenSeen {
|
|
return rotatedAt.Before(time.Now().Add(-UrgentRotateTime))
|
|
}
|
|
|
|
return rotatedAt.Before(time.Now().Add(-rotationInterval))
|
|
}
|
|
|
|
const rotationLeeway = 5 * time.Second
|
|
|
|
func (t *UserToken) NextRotation(rotationInterval time.Duration) time.Time {
|
|
rotatedAt := time.Unix(t.RotatedAt, 0)
|
|
return rotatedAt.Add(rotationInterval - rotationLeeway)
|
|
}
|