[api/jwt] add expiration date for token

oar-team · Nov 14, 2023 · 01e1da4 · 01e1da4
1 parent c917234
commit 01e1da4
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 13 deletions.
diff --git a/etc/oar.conf b/etc/oar.conf
@@ -660,6 +660,8 @@ OARSTAT_DEFAULT_OUTPUT_FORMAT=2
 # openssl rand -hex 32
 API_SECRET_KEY="3f22a0a65212bfb6cdf0dc4b39be189b3c89c6c2c8ed0d1655e0df837145208b"
 API_SECRET_ALGORITHM="HS256"
+API_ACCESS_TOKEN_EXPIRE_MINUTES = 524160 # One year
+
 
 # Disable this if you are not ok with a simple pidentd "authentication"
 # It is safe enough if you fully trust the client hosts (with an apropriate

diff --git a/oar/api/app.py b/oar/api/app.py
@@ -43,7 +43,10 @@ def __call__(self, scope, receive, send):
 
 
 def create_app(
-    config: Optional[Configuration] = None, engine=None, root_path: Optional[str] = None, logger=None
+    config: Optional[Configuration] = None,
+    engine=None,
+    root_path: Optional[str] = None,
+    logger=None,
 ):
     """Return the OAR API application instance."""
     app = FastAPI(root_path=root_path)

diff --git a/oar/api/auth.py b/oar/api/auth.py
@@ -23,8 +23,7 @@
 
 
 def get_user(
-    credentials: Annotated[str, Depends(oauth2_scheme)],
-    config=Depends(get_config)
+    credentials: Annotated[str, Depends(oauth2_scheme)], config=Depends(get_config)
 ) -> Optional[str]:
 
     username = None

diff --git a/oar/api/routers/frontend.py b/oar/api/routers/frontend.py
@@ -6,6 +6,7 @@
 from passlib.apache import HtpasswdFile
 
 from oar import VERSION
+
 # from oar.lib.globals import get_logger
 from oar.lib.configuration import Configuration
 
@@ -99,7 +100,5 @@ def authentication(
 
 @router.get("/me")
 async def read_users_me(current_user: Annotated[str, Depends(get_user)]):
-    data = {
-        "user": current_user
-    }
+    data = {"user": current_user}
     return data
diff --git a/oar/lib/access_token.py b/oar/lib/access_token.py
@@ -1,19 +1,24 @@
-from datetime import datetime
+from datetime import datetime, timedelta
 
 from jose import jwt
-from oar.lib.configuration import Configuration
 
-# SECRET_KEY = "3f22a0a65212bfb6cdf0dc4b39be189b3c89c6c2c8ed0d1655e0df837145208b"
-ALGORITHM = "HS256"
+from oar.lib.configuration import Configuration
 
 
 def create_access_token(data: dict, config: Configuration) -> str:
     to_encode = data.copy()
-    to_encode.update({"date": f"{datetime.utcnow()}"})
+
+    now = datetime.utcnow()
+    exp_minutes = int(config.get("API_ACCESS_TOKEN_EXPIRE_MINUTES"))
+    expires_delta = timedelta(minutes=exp_minutes)
+
+    expire = now + expires_delta
+    to_encode.update({"exp": expire, "date": f"{now}"})
 
     # to get a string like this run:
     # openssl rand -hex 32
-    SECRET_KEY = config.get("API_SECRET_KEY", None)
+    secret_key = config.get("API_SECRET_KEY", None)
+    algorithm = config.get("API_SECRET_ALGORITHM", None)
 
-    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+    encoded_jwt = jwt.encode(to_encode, secret_key, algorithm=algorithm)
     return encoded_jwt