Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removal of Old Tokens/Codes #60

Closed
nmohoric opened this issue Nov 23, 2015 · 5 comments
Closed

Removal of Old Tokens/Codes #60

nmohoric opened this issue Nov 23, 2015 · 5 comments
Labels
enhancement

Comments

@nmohoric
Copy link
Contributor

A client has requested that tokens/codes should no longer be usable if the same client has a newer one for that user, to allow for less possible attack vectors.

Before I begin implementing a solution I thought I would check here to see if:
a) this would be something you would be interested in merging in and, if so,
b) you had any preferences on implementation

I imagine the two possible solutions would be to set the old code/token to have expired long ago, or just delete it outright from the database.

Any feedback/suggestions/questions would be appreciated.
@juanifioren
Copy link
Owner

Hi @nmohoric

I already thought this topic so I'm interested. Have a few ideas about a possible implementation:

  • Having a command cleartokens that remove expired codes/tokens from database.
  • Add an action for the admin (read more).

I think deleting from database will be better.

Greetings.

@orzel
Copy link

orzel commented Mar 5, 2017

I definitely think that a django command is needed for this, exactly as is already the case for (sessions) "clearsessions".
Actually, it seemed so obvious that I assumed such a command already existed. It's not difficult is it ? Would you merge it i implement it in management/commands/cleartokens.py ?

@orzel
Copy link

orzel commented May 18, 2018

yes...? No .... ?

@orzel
Copy link

orzel commented May 18, 2018
edited 

# Django
from django.core.management.base import BaseCommand
from django.utils import timezone

# Project
from oidc_provider.models import Token, Code

class Command(BaseCommand):
    help = 'Remove expired entries for Token and Code'

    def handle(self, *args, **options):
        now = timezone.now()
        old_tokens = Token.objects.filter(expires_at__lt=now)
        old_codes = Code.objects.filter(expires_at__lt=now)
        self.stdout.write(u'Removing %d old tokens and %d old codes.' % (
            old_tokens.count(),
            old_codes.count(),
        ))

        # do it
        old_tokens.delete()
        old_codes.delete()

        self.stdout.write(u'It remains %d tokens and %d codes.' % (
            Token.objects.count(),
            Code.objects.count(),
        ))

@juanifioren
Copy link
Owner

@orzel Hi! yes sorry. This feature is cool. But there is a problem. I want to create stats about token usage in the future. So this will remove those tokens, that are important info.

Example useful stat: Client A had 12k logins with different users in January 2017.

@wontonst wontonst mentioned this issue Jul 8, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nmohoric @orzel @juanifioren