Refresh token validation appears broken #746
Description
There are two things that I noticed around validate_refresh_token:
- It ignores
REFRESH_TOKEN_EXPIRE_SECONDSentirely, regardless of whether it's set refresh tokens seem to work until the end of time (unless revoked or rotated). - It always checks
revokedtimestamp againstREFRESH_TOKEN_GRACE_PERIOD_SECONDSwhich is valid logic when tokens are revoked by rotation but not so much in case of voluntary revocation (logging out). clear_expiredhas two ways of determining which tokens to remove and both of them seem incorrect:revoked__lt=refresh_expire_at-- revoked is set tonowon revocation or rotation butclear_expiredwon't get them until after additionalEXPIRE_SECONDS,access_token__expires__lt=refresh_expire_at-- lets them sit in the database forEXPIRE_SECONDSafter access token expiration, not since the issue time (also if clear_expired is called often enough it's possible that it might remove the expired access token before it considers deleting the corresponding refresh token and the condition would never be met, leaving the refresh token in the db forever and causing other trouble).
My proposal:
- Add an additional filter to check that refresh token wasn't
createdbeforenow() - REFRESH_TOKEN_EXPIRE_SECONDS(possibly- REFRESH_TOKEN_GRACE_PERIOD_SECONDSas well, not sure). Alternatively, see (4) - On token rotation, instead of setting
revoked = now()set it tonow() + GRACE_PERIOD(and remove grace period subtraction everywhere, always comparerevokedwithnow) -- this way tokens revoked voluntarily would be revoked immediately but rotated tokens would continue to live until the grace period. Probably by adding an optional argument to therevoke()method (either timedelta/seconds to add or just boolean so that value is fetched from settings instead). - Remove expired refresh tokens based on their
createdtime, not (only) the others. - Possibly use
RefreshToken.revokedthe same wayAccessToken.expiresis used: if REFRESH_TOKEN_EXPIRE_SECONDS is set, setrevoked = now + EXPIRE_SECONDSon issuing a new token, to simplify the following validation. It would've looked better if the field was calledexpiresthough, but renaming is probably not worth it now. This might be superior to checking anything againstcreatedbecause this way it would be possible to extend expiration time if desired (e.g. on renewal) without having to break the audit trail automagiccreatedtimestamp provides. - Possibly add a separate settings variable (and possibly an overriding command argument) for configuring
clear_expired: instead of removing everything that was expired or using expire_seconds settings it can only remove tokens that were expired for longer than a given period (could be a day or even a year, depending on the application's load, we could also try to set some sensible default). it would probably be a good idea not to remove access tokens if they still have a valid refresh token linked to them (required for determining scopes and some other things on renewal). Also, it might make sense to allow introspecting expired tokens, but that's probably not a priority, can't think of a use case for that right now.
Thoughts?