From bf78ad9fbed3c7191e99722e15bec5d8f3a9b132 Mon Sep 17 00:00:00 2001
From: Julien Fontanet <julien.fontanet@isonoe.net>
Date: Fri, 20 Nov 2015 17:42:18 +0100
Subject: [PATCH 1/2] Auth tokens expires after one month (side effect: remove
 old tokens).

---
 src/models/token.js | 20 ++------------------
 src/xo.js           | 27 ++++++++++++++++++++++-----
 2 files changed, 24 insertions(+), 23 deletions(-)

diff --git a/src/models/token.js b/src/models/token.js
index 0694bb186..b12ab7fd1 100644
--- a/src/models/token.js
+++ b/src/models/token.js
@@ -1,26 +1,10 @@
 import Collection from '../collection/redis'
 import Model from '../model'
-import {generateToken} from '../utils'
 
 // ===================================================================
 
-export default class Token extends Model {
-  static generate (userId) {
-    return generateToken().then(token => new Token({
-      id: token,
-      user_id: userId
-    }))
-  }
-}
+export default class Token extends Model {}
 
 // -------------------------------------------------------------------
 
-export class Tokens extends Collection {
-  get Model () {
-    return Token
-  }
-
-  generate (userId) {
-    return Token.generate(userId).then(token => this.add(token))
-  }
-}
+export class Tokens extends Collection {}
diff --git a/src/xo.js b/src/xo.js
index 6bfca06ca..abed00fd8 100644
--- a/src/xo.js
+++ b/src/xo.js
@@ -34,6 +34,7 @@ import {
   forEach,
   isEmpty,
   mapToArray,
+  noop,
   safeDateFormat
 } from './utils'
 import {generateToken} from './utils'
@@ -50,7 +51,7 @@ import {PluginsMetadata} from './models/plugin-metadata'
 import {Remotes} from './models/remote'
 import {Schedules} from './models/schedule'
 import {Servers} from './models/server'
-import {Tokens} from './models/token'
+import Token, {Tokens} from './models/token'
 import {Users} from './models/user'
 
 // ===================================================================
@@ -873,9 +874,15 @@ export default class Xo extends EventEmitter {
   // -----------------------------------------------------------------
 
   async createAuthenticationToken ({userId}) {
-    // TODO: use plain objects
-    const token = await this._tokens.generate(userId)
+    const token = new Token({
+      id: await generateToken(),
+      user_id: userId,
+      expiration: Date.now() + 1e3 * 60 * 60 * 24 * 30 // 1 month validity.
+    })
 
+    await this._tokens.add(token)
+
+    // TODO: use plain properties directly.
     return token.properties
   }
 
@@ -886,12 +893,22 @@ export default class Xo extends EventEmitter {
   }
 
   async getAuthenticationToken (id) {
-    const token = await this._tokens.first(id)
+    let token = await this._tokens.first(id)
     if (!token) {
       throw new NoSuchAuthenticationToken(id)
     }
 
-    return token.properties
+    token = token.properties
+
+    if (!(
+      token.expiration > Date.now()
+    )) {
+      this._tokens.remove(id).catch(noop)
+
+      throw new NoSuchAuthenticationToken(id)
+    }
+
+    return token
   }
 
   // -----------------------------------------------------------------

From d21742afb6d1d97bc10220e4aa618260b3ecf347 Mon Sep 17 00:00:00 2001
From: Julien Fontanet <julien.fontanet@isonoe.net>
Date: Fri, 20 Nov 2015 18:05:26 +0100
Subject: [PATCH 2/2] 4.9.2

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index a91b931d2..47fd14a96 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "xo-server",
-  "version": "4.9.1",
+  "version": "4.9.2",
   "license": "AGPL-3.0",
   "description": "Server part of Xen-Orchestra",
   "keywords": [