oauth2: enforce access_token and code lifetime (#22717)
This commit is contained in:
parent
2fe7382ab3
commit
fbe0fc0b78
|
@ -1,6 +1,9 @@
|
|||
import cgi
|
||||
from urllib import unquote
|
||||
|
||||
from django.utils.timezone import now
|
||||
from django.conf import settings
|
||||
|
||||
from .models import OAuth2Authorize
|
||||
|
||||
|
||||
|
@ -15,7 +18,10 @@ def authenticate_bearer(request):
|
|||
return False
|
||||
token = splitted[1]
|
||||
try:
|
||||
return OAuth2Authorize.objects.get(access_token=token)
|
||||
authorize = OAuth2Authorize.objects.get(access_token=token)
|
||||
if (now() - authorize.creation_date).total_seconds() > settings.FARGO_ACCESS_TOKEN_LIFETIME:
|
||||
return False
|
||||
return authorize
|
||||
except OAuth2Authorize.DoesNotExist:
|
||||
return False
|
||||
|
||||
|
|
|
@ -19,6 +19,7 @@ from urllib import quote
|
|||
|
||||
from django.utils.translation import ugettext as _
|
||||
from django.utils.http import urlencode
|
||||
from django.utils.timezone import now
|
||||
from django.core.files.base import ContentFile
|
||||
from django.core.urlresolvers import reverse
|
||||
from django.http import (HttpResponse, HttpResponseBadRequest,
|
||||
|
@ -26,6 +27,7 @@ from django.http import (HttpResponse, HttpResponseBadRequest,
|
|||
from django.views.decorators.csrf import csrf_exempt
|
||||
from django.views.generic import FormView, TemplateView
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.conf import settings
|
||||
|
||||
from rest_framework.response import Response
|
||||
from rest_framework.views import APIView
|
||||
|
@ -110,19 +112,33 @@ authorize_get_document = login_required(OAuth2AuthorizeView.as_view())
|
|||
|
||||
|
||||
class GetDocumentTokenView(OAUTH2APIViewMixin):
|
||||
def error(self, error, description=None):
|
||||
data = {
|
||||
'error': error,
|
||||
}
|
||||
if description:
|
||||
data['error_description'] = description
|
||||
return Response(data, status=400)
|
||||
|
||||
def post(self, request):
|
||||
if not request.user.oauth2_client.check_redirect_uri(request.data['redirect_uri']):
|
||||
return Response({'error': 'invalid_request'}, status=400)
|
||||
return self.error('invalid_request')
|
||||
|
||||
if request.data['grant_type'] != 'authorization_code':
|
||||
return Response({'error': 'unsupported_grant_type'}, status=400)
|
||||
return self.error('unsupported_grant_type')
|
||||
|
||||
try:
|
||||
token = OAuth2Authorize.objects.get(code=request.data['code']).access_token
|
||||
authorize = OAuth2Authorize.objects.get(code=request.data['code'])
|
||||
except OAuth2Authorize.DoesNotExist:
|
||||
return Response({'error': 'invalid_request'}, status=400)
|
||||
return self.error('invalid_grant', 'code is unknown')
|
||||
|
||||
return Response({'access_token': token, 'expires': '3600'})
|
||||
if (now() - authorize.creation_date).total_seconds() > settings.FARGO_CODE_LIFETIME:
|
||||
return self.error('invalid_grant', 'code is expired')
|
||||
|
||||
return Response({
|
||||
'access_token': authorize.access_token,
|
||||
'expires': settings.FARGO_ACCESS_TOKEN_LIFETIME
|
||||
})
|
||||
|
||||
|
||||
get_document_token = GetDocumentTokenView.as_view()
|
||||
|
|
|
@ -226,6 +226,9 @@ LOGGING = {
|
|||
|
||||
INCLUDE_EDIT_LINK = False
|
||||
|
||||
FARGO_CODE_LIFETIME = 300
|
||||
FARGO_ACCESS_TOKEN_LIFETIME = 3600
|
||||
|
||||
local_settings_file = os.environ.get('FARGO_SETTINGS_FILE',
|
||||
os.path.join(
|
||||
os.path.dirname(__file__),
|
||||
|
|
Loading…
Reference in New Issue