164 lines
5.6 KiB
Python
164 lines
5.6 KiB
Python
"""OIDC Refresh Token model for token rotation."""
|
|
from datetime import datetime, timezone
|
|
from gatehouse_app.extensions import db
|
|
from gatehouse_app.models.base import BaseModel
|
|
|
|
|
|
class OIDCRefreshToken(BaseModel):
|
|
"""OIDC Refresh Token model for token refresh and rotation.
|
|
|
|
Refresh tokens are long-lived credentials used to obtain new access tokens.
|
|
They support token rotation for enhanced security.
|
|
"""
|
|
|
|
__tablename__ = "oidc_refresh_tokens"
|
|
|
|
# Client and User references
|
|
client_id = db.Column(
|
|
db.String(255), db.ForeignKey("oidc_clients.id"), nullable=False, index=True
|
|
)
|
|
user_id = db.Column(
|
|
db.String(36), db.ForeignKey("users.id"), nullable=False, index=True
|
|
)
|
|
|
|
# Token (hashed for security)
|
|
token_hash = db.Column(db.String(255), nullable=False, unique=True, index=True)
|
|
|
|
# Associated access token ID
|
|
access_token_id = db.Column(
|
|
db.String(36), db.ForeignKey("sessions.id"), nullable=True, index=True
|
|
)
|
|
|
|
# Token scope
|
|
scope = db.Column(db.JSON, nullable=True) # Granted scopes
|
|
|
|
# Timing
|
|
expires_at = db.Column(db.DateTime, nullable=False, index=True)
|
|
|
|
# Revocation tracking
|
|
revoked_at = db.Column(db.DateTime, nullable=True)
|
|
revoked_reason = db.Column(db.String(255), nullable=True)
|
|
|
|
# Token rotation metadata
|
|
previous_token_hash = db.Column(db.String(255), nullable=True) # For rotation
|
|
rotation_count = db.Column(db.Integer, default=0, nullable=False)
|
|
|
|
# Request metadata
|
|
ip_address = db.Column(db.String(45), nullable=True)
|
|
user_agent = db.Column(db.Text, nullable=True)
|
|
|
|
# Relationships
|
|
client = db.relationship("OIDCClient", back_populates="refresh_tokens")
|
|
user = db.relationship("User", back_populates="oidc_refresh_tokens")
|
|
access_token = db.relationship("Session", back_populates="oidc_refresh_token")
|
|
|
|
def __repr__(self):
|
|
"""String representation of OIDCRefreshToken."""
|
|
return f"<OIDCRefreshToken client_id={self.client_id} user_id={self.user_id} revoked={self.is_revoked()}>"
|
|
|
|
def is_expired(self):
|
|
"""Check if the refresh token has expired."""
|
|
# Handle both timezone-aware and timezone-naive expires_at values
|
|
expires_at = self.expires_at
|
|
if expires_at.tzinfo is None:
|
|
expires_at = expires_at.replace(tzinfo=timezone.utc)
|
|
return datetime.now(timezone.utc) > expires_at
|
|
|
|
def is_revoked(self):
|
|
"""Check if the refresh token has been revoked."""
|
|
return self.revoked_at is not None
|
|
|
|
def is_valid(self):
|
|
"""Check if the refresh token is valid for use."""
|
|
return not self.is_revoked() and not self.is_expired() and self.deleted_at is None
|
|
|
|
def revoke(self, reason=None):
|
|
"""Revoke the refresh token.
|
|
|
|
Args:
|
|
reason: Optional reason for revocation
|
|
"""
|
|
self.revoked_at = datetime.now(timezone.utc)
|
|
self.revoked_reason = reason
|
|
db.session.commit()
|
|
|
|
def rotate(self, new_token_hash):
|
|
"""Rotate the refresh token (invalidate old, create new).
|
|
|
|
Args:
|
|
new_token_hash: Hash of the new refresh token
|
|
|
|
Returns:
|
|
self for chaining
|
|
"""
|
|
# Store reference to old token
|
|
self.previous_token_hash = self.token_hash
|
|
self.token_hash = new_token_hash
|
|
self.rotation_count += 1
|
|
# Extend expiration on rotation
|
|
from datetime import timedelta
|
|
self.expires_at = datetime.now(timezone.utc) + timedelta(days=30)
|
|
db.session.commit()
|
|
return self
|
|
|
|
@classmethod
|
|
def create_token(cls, client_id, user_id, token_hash, scope=None,
|
|
access_token_id=None, ip_address=None, user_agent=None,
|
|
lifetime_seconds=2592000):
|
|
"""Create a new refresh token.
|
|
|
|
Args:
|
|
client_id: The OIDC client ID
|
|
user_id: The user ID
|
|
token_hash: Hashed refresh token
|
|
scope: Granted scopes
|
|
access_token_id: Associated access token ID
|
|
ip_address: Client IP address
|
|
user_agent: Client user agent
|
|
lifetime_seconds: Token lifetime in seconds (default 30 days)
|
|
|
|
Returns:
|
|
OIDCRefreshToken instance
|
|
"""
|
|
from datetime import timedelta
|
|
token = cls(
|
|
client_id=client_id,
|
|
user_id=user_id,
|
|
token_hash=token_hash,
|
|
scope=scope,
|
|
access_token_id=access_token_id,
|
|
expires_at=datetime.now(timezone.utc) + timedelta(seconds=lifetime_seconds),
|
|
ip_address=ip_address,
|
|
user_agent=user_agent,
|
|
)
|
|
db.session.add(token)
|
|
db.session.commit()
|
|
return token
|
|
|
|
def to_dict(self, exclude=None):
|
|
"""Convert to dictionary, excluding sensitive fields."""
|
|
exclude = exclude or []
|
|
# Always exclude token hashes
|
|
exclude.append("token_hash")
|
|
exclude.append("previous_token_hash")
|
|
return super().to_dict(exclude=exclude)
|
|
|
|
|
|
# Add relationship back to User model
|
|
from gatehouse_app.models.user import User
|
|
User.oidc_refresh_tokens = db.relationship(
|
|
"OIDCRefreshToken", back_populates="user", cascade="all, delete-orphan"
|
|
)
|
|
|
|
# Add relationship back to OIDCClient model
|
|
from gatehouse_app.models.oidc_client import OIDCClient
|
|
OIDCClient.refresh_tokens = db.relationship(
|
|
"OIDCRefreshToken", back_populates="client", cascade="all, delete-orphan"
|
|
)
|
|
|
|
# Add relationship back to Session model
|
|
from gatehouse_app.models.session import Session
|
|
Session.oidc_refresh_token = db.relationship(
|
|
"OIDCRefreshToken", back_populates="access_token", uselist=False
|
|
)
|