Auth tokens expires after one month (side effect: remove old tokens).

2015-11-20 17:42:18 +01:00 · 2015-11-20 17:42:18 +01:00 · bf78ad9fbe
commit bf78ad9fbe
parent 7e2dbc7358
2 changed files with 24 additions and 23 deletions
--- a/src/models/token.js
+++ b/src/models/token.js
@ -1,26 +1,10 @@
 import Collection from '../collection/redis'
 import Model from '../model'
-import {generateToken} from '../utils'

 // ===================================================================

-export default class Token extends Model {
-  static generate (userId) {
-    return generateToken().then(token => new Token({
-      id: token,
-      user_id: userId
-    }))
-  }
-}
+export default class Token extends Model {}

 // -------------------------------------------------------------------

-export class Tokens extends Collection {
-  get Model () {
-    return Token
-  }
-
-  generate (userId) {
-    return Token.generate(userId).then(token => this.add(token))
-  }
-}
+export class Tokens extends Collection {}
--- a/src/xo.js
+++ b/src/xo.js
@ -34,6 +34,7 @@ import {
  forEach,
  isEmpty,
  mapToArray,
+  noop,
  safeDateFormat
 } from './utils'
 import {generateToken} from './utils'
@ -50,7 +51,7 @@ import {PluginsMetadata} from './models/plugin-metadata'
 import {Remotes} from './models/remote'
 import {Schedules} from './models/schedule'
 import {Servers} from './models/server'
-import {Tokens} from './models/token'
+import Token, {Tokens} from './models/token'
 import {Users} from './models/user'

 // ===================================================================
@ -873,9 +874,15 @@ export default class Xo extends EventEmitter {
  // -----------------------------------------------------------------

  async createAuthenticationToken ({userId}) {
-    // TODO: use plain objects
-    const token = await this._tokens.generate(userId)
+    const token = new Token({
+      id: await generateToken(),
+      user_id: userId,
+      expiration: Date.now() + 1e3 * 60 * 60 * 24 * 30 // 1 month validity.
+    })

+    await this._tokens.add(token)
+
+    // TODO: use plain properties directly.
    return token.properties
  }

@ -886,12 +893,22 @@ export default class Xo extends EventEmitter {
  }

  async getAuthenticationToken (id) {
-    const token = await this._tokens.first(id)
+    let token = await this._tokens.first(id)
    if (!token) {
      throw new NoSuchAuthenticationToken(id)
    }

-    return token.properties
+    token = token.properties
+
+    if (!(
+      token.expiration > Date.now()
+    )) {
+      this._tokens.remove(id).catch(noop)
+
+      throw new NoSuchAuthenticationToken(id)
+    }
+
+    return token
  }

  // -----------------------------------------------------------------