Use `constants` instead of going directly through settings when invalidating tokens and grants. This also replaces 'clean' with 'delete' for the new setting to be more clear as to what's being done under the hood.
This commit is contained in:
Evan Culver
parent
9049d6350f
commit
0c0236b389
14
docs/api.rst
14
docs/api.rst
|
|
@ -28,7 +28,7 @@
|
||||||
|
|
||||||
:settings: `OAUTH_EXPIRE_DELTA`
|
:settings: `OAUTH_EXPIRE_DELTA`
|
||||||
:default: `datetime.timedelta(days=365)`
|
:default: `datetime.timedelta(days=365)`
|
||||||
|
|
||||||
The time to expiry for access tokens as outlined in :rfc:`4.2.2` and
|
The time to expiry for access tokens as outlined in :rfc:`4.2.2` and
|
||||||
:rfc:`5.1`.
|
:rfc:`5.1`.
|
||||||
|
|
||||||
|
|
@ -36,9 +36,17 @@
|
||||||
|
|
||||||
:settings: `OAUTH_EXPIRE_CODE_DELTA`
|
:settings: `OAUTH_EXPIRE_CODE_DELTA`
|
||||||
:default: `datetime.timedelta(seconds=10*60)`
|
:default: `datetime.timedelta(seconds=10*60)`
|
||||||
|
|
||||||
The time to expiry for an authorization code grant as outlined in :rfc:`4.1.2`.
|
The time to expiry for an authorization code grant as outlined in :rfc:`4.1.2`.
|
||||||
|
|
||||||
|
.. attribute:: DELETE_EXPIRED
|
||||||
|
|
||||||
|
:settings: `OAUTH_DELETE_EXPIRED`
|
||||||
|
:default: `False`
|
||||||
|
|
||||||
|
To remove expired tokens immediately instead of letting them persist, set
|
||||||
|
to `True`.
|
||||||
|
|
||||||
.. attribute:: ENFORCE_SECURE
|
.. attribute:: ENFORCE_SECURE
|
||||||
|
|
||||||
:settings: `OAUTH_ENFORCE_SECURE`
|
:settings: `OAUTH_ENFORCE_SECURE`
|
||||||
|
|
|
||||||
|
|
@ -26,11 +26,15 @@ DEFAULT_SCOPES = (
|
||||||
SCOPES = getattr(settings, 'OAUTH_SCOPES', DEFAULT_SCOPES)
|
SCOPES = getattr(settings, 'OAUTH_SCOPES', DEFAULT_SCOPES)
|
||||||
|
|
||||||
EXPIRE_DELTA = getattr(settings, 'OAUTH_EXPIRE_DELTA', timedelta(days=365))
|
EXPIRE_DELTA = getattr(settings, 'OAUTH_EXPIRE_DELTA', timedelta(days=365))
|
||||||
|
|
||||||
# Expiry delta for public clients (which typically have shorter lived tokens)
|
# Expiry delta for public clients (which typically have shorter lived tokens)
|
||||||
EXPIRE_DELTA_PUBLIC = getattr(settings, 'OAUTH_EXPIRE_DELTA_PUBLIC', timedelta(days=30))
|
EXPIRE_DELTA_PUBLIC = getattr(settings, 'OAUTH_EXPIRE_DELTA_PUBLIC', timedelta(days=30))
|
||||||
|
|
||||||
EXPIRE_CODE_DELTA = getattr(settings, 'OAUTH_EXPIRE_CODE_DELTA', timedelta(seconds=10 * 60))
|
EXPIRE_CODE_DELTA = getattr(settings, 'OAUTH_EXPIRE_CODE_DELTA', timedelta(seconds=10 * 60))
|
||||||
|
|
||||||
|
# Remove expired tokens immediately instead of letting them persist.
|
||||||
|
DELETE_EXPIRED = getattr(settings, 'OAUTH_DELETE_EXPIRED', False)
|
||||||
|
|
||||||
ENFORCE_SECURE = getattr(settings, 'OAUTH_ENFORCE_SECURE', False)
|
ENFORCE_SECURE = getattr(settings, 'OAUTH_ENFORCE_SECURE', False)
|
||||||
ENFORCE_CLIENT_SECURE = getattr(settings, 'OAUTH_ENFORCE_CLIENT_SECURE', True)
|
ENFORCE_CLIENT_SECURE = getattr(settings, 'OAUTH_ENFORCE_CLIENT_SECURE', True)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@ views in :attr:`provider.views`.
|
||||||
from django.db import models
|
from django.db import models
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
from .. import constants
|
from .. import constants
|
||||||
from ..constants import CLIENT_TYPES
|
from ..constants import CLIENT_TYPES, DELETE_EXPIRED
|
||||||
from ..utils import short_token, long_token, get_token_expiry
|
from ..utils import short_token, long_token, get_token_expiry
|
||||||
from ..utils import get_code_expiry
|
from ..utils import get_code_expiry
|
||||||
from ..utils import now
|
from ..utils import now
|
||||||
|
|
|
||||||
|
|
@ -533,19 +533,15 @@ class ScopeTest(TestCase):
|
||||||
self.assertEqual('read read+write write', ' '.join(names))
|
self.assertEqual('read read+write write', ' '.join(names))
|
||||||
|
|
||||||
|
|
||||||
class CleanExpiredTest(BaseOAuth2TestCase):
|
class DeleteExpiredTest(BaseOAuth2TestCase):
|
||||||
fixtures = ['test_oauth2']
|
fixtures = ['test_oauth2']
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
self._old_oauth_clean_expired = getattr(settings,
|
self._delete_expired = constants.DELETE_EXPIRED
|
||||||
'OAUTH_CLEAN_EXPIRED', None)
|
constants.DELETE_EXPIRED = True
|
||||||
settings.OAUTH_CLEAN_EXPIRED = True
|
|
||||||
|
|
||||||
def tearDown(self):
|
def tearDown(self):
|
||||||
if self._old_oauth_clean_expired is not None:
|
constants.DELETE_EXPIRED = self._delete_expired
|
||||||
settings.OAUTH_CLEAN_EXPIRED = self._old_oauth_clean_expired
|
|
||||||
else:
|
|
||||||
delattr(settings, 'OAUTH_CLEAN_EXPIRED')
|
|
||||||
|
|
||||||
def test_clear_expired(self):
|
def test_clear_expired(self):
|
||||||
self.login()
|
self.login()
|
||||||
|
|
@ -563,8 +559,6 @@ class CleanExpiredTest(BaseOAuth2TestCase):
|
||||||
code = urlparse.parse_qs(location)['code'][0]
|
code = urlparse.parse_qs(location)['code'][0]
|
||||||
self.assertTrue(Grant.objects.filter(code=code).exists())
|
self.assertTrue(Grant.objects.filter(code=code).exists())
|
||||||
|
|
||||||
from pprint import pprint
|
|
||||||
|
|
||||||
# use the code/grant
|
# use the code/grant
|
||||||
response = self.client.post(self.access_token_url(), {
|
response = self.client.post(self.access_token_url(), {
|
||||||
'grant_type': 'authorization_code',
|
'grant_type': 'authorization_code',
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
from datetime import timedelta
|
from datetime import timedelta
|
||||||
from django.conf import settings
|
|
||||||
from django.core.urlresolvers import reverse
|
from django.core.urlresolvers import reverse
|
||||||
|
from .. import constants
|
||||||
from ..views import Capture, Authorize, Redirect
|
from ..views import Capture, Authorize, Redirect
|
||||||
from ..views import AccessToken as AccessTokenView, OAuthError
|
from ..views import AccessToken as AccessTokenView, OAuthError
|
||||||
from ..utils import now
|
from ..utils import now
|
||||||
|
|
@ -117,21 +117,21 @@ class AccessTokenView(AccessTokenView):
|
||||||
)
|
)
|
||||||
|
|
||||||
def invalidate_grant(self, grant):
|
def invalidate_grant(self, grant):
|
||||||
if getattr(settings, 'OAUTH_CLEAN_EXPIRED', False):
|
if constants.DELETE_EXPIRED:
|
||||||
grant.delete()
|
grant.delete()
|
||||||
else:
|
else:
|
||||||
grant.expires = now() - timedelta(days=1)
|
grant.expires = now() - timedelta(days=1)
|
||||||
grant.save()
|
grant.save()
|
||||||
|
|
||||||
def invalidate_refresh_token(self, rt):
|
def invalidate_refresh_token(self, rt):
|
||||||
if getattr(settings, 'OAUTH_CLEAN_EXPIRED', False):
|
if constants.DELETE_EXPIRED:
|
||||||
rt.delete()
|
rt.delete()
|
||||||
else:
|
else:
|
||||||
rt.expired = True
|
rt.expired = True
|
||||||
rt.save()
|
rt.save()
|
||||||
|
|
||||||
def invalidate_access_token(self, at):
|
def invalidate_access_token(self, at):
|
||||||
if getattr(settings, 'OAUTH_CLEAN_EXPIRED', False):
|
if constants.DELETE_EXPIRED:
|
||||||
at.delete()
|
at.delete()
|
||||||
else:
|
else:
|
||||||
at.expires = now() - timedelta(days=1)
|
at.expires = now() - timedelta(days=1)
|
||||||
|
|
|
||||||
|
|
@ -492,6 +492,7 @@ class AccessToken(OAuthView, Mixin):
|
||||||
"""
|
"""
|
||||||
rt = self.get_refresh_token_grant(request, data, client)
|
rt = self.get_refresh_token_grant(request, data, client)
|
||||||
|
|
||||||
|
# this must be called first in case we need to purge expired tokens
|
||||||
self.invalidate_refresh_token(rt)
|
self.invalidate_refresh_token(rt)
|
||||||
self.invalidate_access_token(rt.access_token)
|
self.invalidate_access_token(rt.access_token)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue