[#811] Implement refresh token reuse detection grace period #812
Conversation
shurwit
left a comment
shurwit
left a comment
There was a problem hiding this comment.
Thanks @roberlander2 looks good! Just a couple of minor comments below!
petyos
left a comment
petyos
left a comment
There was a problem hiding this comment.
@roberlander2, @shurwit , this seems like the right approach.
Just a quick note - let’s make sure we also keep the system APIs for create (and especially update) for the application organization up to date, because we recently had an issue where the update API did not reflect the FERPA record, and each call to it was resetting that FERPA field.
Thanks both.
…current or previous refresh token [#811]
Thanks @shurwit I made some additional changes to address the issues you pointed out. |
shurwit
left a comment
shurwit
left a comment
There was a problem hiding this comment.
Thanks @roberlander2, this is looking better! Just a couple more questions below.
driver/web/utils.go
Outdated
| if err != nil { | ||
| return l.HTTPResponseErrorData(logutils.StatusMissing, model.TypeRefreshToken, nil, err, http.StatusInternalServerError, false) | ||
| } |
There was a problem hiding this comment.
Is there any risk to adding this check here?
Previously if the login session doesn't have a refresh token we would just send back an empty string in the response, but still send back the other tokens. Now we will return an error instead.
Are there any cases where we don't provide a refresh token (eg. anonymous auth, some setting to disable refresh on app org... etc.)?
There was a problem hiding this comment.
I checked on this and the only case where there would be no refresh token here is if we are returning a login session in the MFA state, so I added an additional check for this.
petyos
left a comment
petyos
left a comment
There was a problem hiding this comment.
LGTM. There was just one place where the grace period for the app/org’s API wasn’t set. I added it. Thanks!
petyos
deleted the
811-implement-refresh-token-reuse-detection-grace-period
branch
|
|
||
| return nil, nil | ||
| return nil, nil | ||
| } |
There was a problem hiding this comment.
Hi @petyos @roberlander2 , just realized that we should probably add some logging here to have a record in the logs when a previous refresh token is used, but is allowed to continue due to the grace period. This will help us evaluate the impact of this change and ensure there aren't any issues resulting from it.
…okwire#812) * add refresh grace period [rokwire#811] * only allow the previous refresh token to be used in the grace period [rokwire#811] * change grace period from minutes to seconds, return error on missing current or previous refresh token [rokwire#811] * better error handling [rokwire#811] * fix secrets * Set grace period policy in the api when get data --------- Co-authored-by: Petyo Stoyanov <petyo.stoyanov@inabit.eu>
Description
This PR adds a refresh grace period policy to app org login session settings. If the previous refresh token is used to attempt a login session refresh within the grace period defined by the policy, now the refresh attempt will succeed.
Resolves #811
Review Time Estimate
Please give your idea of how soon this pull request needs to be reviewed by selecting one of the options below. This can be based on the criticality of the issue at hand and/or other relevant factors.
Type of changes
Please select a relevant option:
Checklist:
Please select all applicable options: