Merge pull request #1207 from ChildMindInstitute/release/1.3.21

Release/1.3.21
ChildMindInstitute · Apr 3, 2024 · 4071fc8 · 4071fc8
2 parents 2751de7 + b578c7a
commit 4071fc8
Show file tree

Hide file tree

Showing 5 changed files with 155 additions and 32 deletions.
diff --git a/.env.default b/.env.default
@@ -34,6 +34,8 @@ AUTHENTICATION__REFRESH_TOKEN__EXPIRATION=540
 AUTHENTICATION__ALGORITHM="HS256"
 AUTHENTICATION__TOKEN_TYPE="Bearer"
 AUTHENTICATION__PASSWORD_RECOVER__EXPIRATION=900
+AUTHENTICATION__REFRESH_TOKEN__TRANSITION_KEY=
+#AUTHENTICATION__REFRESH_TOKEN__TRANSITION_EXPIRE_DATE=
 
 
 # Mailing

diff --git a/README.md b/README.md
@@ -72,28 +72,30 @@ pipenv --python /opt/homebrew/bin/python3.10
 
 ### Environment Variables
 
-| Key                                       | Default value      | Description                                                                                                                            |
-| ----------------------------------------- | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------- |
-| DATABASE\_\_HOST                          | postgres           | Database Host                                                                                                                          |
-| DATABASE\_\_USER                          | postgres           | User name for Postgresql Database user                                                                                                 |
-| DATABASE\_\_PASSWORD                      | postgres           | Password for Postgresql Database user                                                                                                  |
-| DATABASE\_\_DB                            | mindlogger_backend | Database name                                                                                                                          |
-| CORS\_\_ALLOW\_ORIGINS                     | `*`                | Represents the list of allowed origins. Set the `Access-Control-Allow-Origin` header. Example: `https://dev.com,http://localohst:8000` |
-| CORS\_\_ALLOW\_ORIGINS\_REGEX                 | -       | Regex pattern of allowed origins. |
-| CORS\_\_ALLOW\_CREDENTIALS                 | true               | Set the `Access-Control-Allow-Credentials` header                                                                                      |
-| CORS\_\_ALLOW_METHODS                     | `*`                | Set the `Access-Control-Allow-Methods` header                                                                                          |
-| CORS\_\_ALLOW_HEADERS                     | `*`                | Set the `Access-Control-Allow-Headers` header                                                                                          |
-| AUTHENTICATION\_\_ACCESS\_TOKEN\_\_SECRET\_KEY  | secret1            | Access token's salt                                                                                                                    |
-| AUTHENTICATION\_\_REFRESH\_TOKEN\_\_SECRET\_KEY | secret2            | Refresh token salt                                                                                                                     |
-| AUTHENTICATION\_\_ALGORITHM               | HS256              | The JWT's algorithm                                                                                                                    |
-| AUTHENTICATION\_\_ACCESS\_TOKEN\_\_EXPIRATION  | 30                 | Time in minutes after which the access token will stop working                                                                         |
-| AUTHENTICATION\_\_REFRESH\_TOKEN\_\_EXPIRATION | 30                 | Time in minutes after which the refresh token will stop working                                                                        |
-| ADMIN_DOMAIN                              | -                  | Admin panel domain                                                                                                                     |
-| RABBITMQ\_\_URL | rabbitmq                  |  Rabbitmq service URL
-| RABBITMQ\_\_USE_SSL | True                  |  Rabbitmq ssl setting, turn false to local development
-| MAILING\_\_MAIL\_\_USERNAME | mailhog                  |  Mail service username
-| MAILING\_\_MAIL\_\_PASSWORD | mailhog                  |  Mail service password
-| MAILING\_\_MAIL\_\_SERVER | mailhog                  |  Mail service URL
+| Key                                                          | Default value              | Description                                                                                                                                                                                                                                                                                                                            |
+|--------------------------------------------------------------|----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| DATABASE\_\_HOST                                             | postgres                   | Database Host                                                                                                                                                                                                                                                                                                                          |
+| DATABASE\_\_USER                                             | postgres                   | User name for Postgresql Database user                                                                                                                                                                                                                                                                                                 |
+| DATABASE\_\_PASSWORD                                         | postgres                   | Password for Postgresql Database user                                                                                                                                                                                                                                                                                                  |
+| DATABASE\_\_DB                                               | mindlogger_backend         | Database name                                                                                                                                                                                                                                                                                                                          |
+| CORS\_\_ALLOW\_ORIGINS                                       | `*`                        | Represents the list of allowed origins. Set the `Access-Control-Allow-Origin` header. Example: `https://dev.com,http://localohst:8000`                                                                                                                                                                                                 |
+| CORS\_\_ALLOW\_ORIGINS\_REGEX                                | -                          | Regex pattern of allowed origins.                                                                                                                                                                                                                                                                                                      |
+| CORS\_\_ALLOW\_CREDENTIALS                                   | true                       | Set the `Access-Control-Allow-Credentials` header                                                                                                                                                                                                                                                                                      |
+| CORS\_\_ALLOW_METHODS                                        | `*`                        | Set the `Access-Control-Allow-Methods` header                                                                                                                                                                                                                                                                                          |
+| CORS\_\_ALLOW_HEADERS                                        | `*`                        | Set the `Access-Control-Allow-Headers` header                                                                                                                                                                                                                                                                                          |
+| AUTHENTICATION\_\_ACCESS\_TOKEN\_\_SECRET\_KEY               | secret1                    | Access token's salt                                                                                                                                                                                                                                                                                                                    |
+| AUTHENTICATION\_\_REFRESH\_TOKEN\_\_SECRET\_KEY              | secret2                    | Refresh token salt                                                                                                                                                                                                                                                                                                                     |
+| AUTHENTICATION\_\_REFRESH\_TOKEN\_\_TRANSITION\_KEY          | transition secret          | Transition refresh token salt. Used for changing refresh token key (generate new key for AUTHENTICATION\_\_REFRESH\_TOKEN\_\_SECRET\_KEY and use previous value as transition token key for accepting previously generated refresh tokens during transition period (see AUTHENTICATION\_\_REFRESH\_TOKEN\_\_TRANSITION\_EXPIRE\_DATE)) |
+| AUTHENTICATION\_\_REFRESH\_TOKEN\_\_TRANSITION\_EXPIRE\_DATE | transition expiration date | Transition expiration date. After this date transition token ignored                                                                                                                                                                                                                                                                   |
+| AUTHENTICATION\_\_ALGORITHM                                  | HS256                      | The JWT's algorithm                                                                                                                                                                                                                                                                                                                    |
+| AUTHENTICATION\_\_ACCESS\_TOKEN\_\_EXPIRATION                | 30                         | Time in minutes after which the access token will stop working                                                                                                                                                                                                                                                                         |
+| AUTHENTICATION\_\_REFRESH\_TOKEN\_\_EXPIRATION               | 30                         | Time in minutes after which the refresh token will stop working                                                                                                                                                                                                                                                                        |
+| ADMIN_DOMAIN                                                 | -                          | Admin panel domain                                                                                                                                                                                                                                                                                                                     |
+| RABBITMQ\_\_URL                                              | rabbitmq                   | Rabbitmq service URL                                                                                                                                                                                                                                                                                                                   
+| RABBITMQ\_\_USE_SSL                                          | True                       | Rabbitmq ssl setting, turn false to local development                                                                                                                                                                                                                                                                                  
+| MAILING\_\_MAIL\_\_USERNAME                                  | mailhog                    | Mail service username                                                                                                                                                                                                                                                                                                                  
+| MAILING\_\_MAIL\_\_PASSWORD                                  | mailhog                    | Mail service password                                                                                                                                                                                                                                                                                                                  
+| MAILING\_\_MAIL\_\_SERVER                                    | mailhog                    | Mail service URL                                                                                                                                                                                                                                                                                                                       
 
 ##### ✋ Mandatory:
 

diff --git a/src/apps/authentication/api/auth.py b/src/apps/authentication/api/auth.py
@@ -73,17 +73,35 @@ async def refresh_access_token(
     """Refresh access token."""
     async with atomic(session):
         try:
-            payload = jwt.decode(
-                schema.refresh_token,
-                settings.authentication.refresh_token.secret_key,
-                algorithms=[settings.authentication.algorithm],
-            )
+            regenerate_refresh_token = False
+            try:
+                payload = jwt.decode(
+                    schema.refresh_token,
+                    settings.authentication.refresh_token.secret_key,
+                    algorithms=[settings.authentication.algorithm],
+                )
+            except JWTError:
+                # check transition key
+                transition_key = settings.authentication.refresh_token.transition_key
+                transition_expire_date = settings.authentication.refresh_token.transition_expire_date
+
+                if not (
+                    transition_key and transition_expire_date and transition_expire_date > datetime.utcnow().date()
+                ):
+                    raise
+                payload = jwt.decode(
+                    schema.refresh_token,
+                    transition_key,
+                    algorithms=[settings.authentication.algorithm],
+                )
+                regenerate_refresh_token = True
+
             token_data = TokenPayload(**payload)
 
             if datetime.utcfromtimestamp(token_data.exp) < datetime.utcnow():
                 raise AuthenticationError
 
-            if not (user_id := payload[JWTClaim.sub]):
+            if not (user_id := token_data.sub):
                 raise InvalidRefreshToken()
 
         except (JWTError, ValidationError) as e:
@@ -94,14 +112,25 @@ async def refresh_access_token(
         if revoked:
             raise AuthenticationError
 
+        rjti = token_data.jti
+        refresh_token = schema.refresh_token
+        if regenerate_refresh_token:
+            # blacklist current refresh token
+            await AuthenticationService(session).revoke_token(InternalToken(payload=token_data), TokenPurpose.REFRESH)
+
+            rjti = str(uuid.uuid4())
+            refresh_token = AuthenticationService.create_refresh_token(
+                {JWTClaim.sub: str(user_id), JWTClaim.jti: rjti, JWTClaim.exp: token_data.exp}
+            )
+
         access_token = AuthenticationService.create_access_token(
             {
                 JWTClaim.sub: str(user_id),
-                JWTClaim.rjti: token_data.jti,
+                JWTClaim.rjti: rjti,
             }
         )
 
-    return Response(result=Token(access_token=access_token, refresh_token=schema.refresh_token))
+    return Response(result=Token(access_token=access_token, refresh_token=refresh_token))
 
 
 async def delete_access_token(