oauth2: enforce access_token and code lifetime (#22717)

fargo/oauth2/utils.py

@@ -1,6 +1,9 @@
 import cgi
 from urllib import unquote
 
+from django.utils.timezone import now
+from django.conf import settings
+
 from .models import OAuth2Authorize
 
 
@@ -15,7 +18,10 @@ def authenticate_bearer(request):
         return False
     token = splitted[1]
     try:
-        return OAuth2Authorize.objects.get(access_token=token)
+        authorize = OAuth2Authorize.objects.get(access_token=token)
+        if (now() - authorize.creation_date).total_seconds() > settings.FARGO_ACCESS_TOKEN_LIFETIME:
+            return False
+        return authorize
     except OAuth2Authorize.DoesNotExist:
         return False
 

fargo/oauth2/views.py

@@ -19,6 +19,7 @@ from urllib import quote
 
 from django.utils.translation import ugettext as _
 from django.utils.http import urlencode
+from django.utils.timezone import now
 from django.core.files.base import ContentFile
 from django.core.urlresolvers import reverse
 from django.http import (HttpResponse, HttpResponseBadRequest,
@@ -26,6 +27,7 @@ from django.http import (HttpResponse, HttpResponseBadRequest,
 from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import FormView, TemplateView
 from django.contrib.auth.decorators import login_required
+from django.conf import settings
 
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -110,19 +112,33 @@ authorize_get_document = login_required(OAuth2AuthorizeView.as_view())
 
 
 class GetDocumentTokenView(OAUTH2APIViewMixin):
+    def error(self, error, description=None):
+        data = {
+            'error': error,
+        }
+        if description:
+            data['error_description'] = description
+        return Response(data, status=400)
+
     def post(self, request):
         if not request.user.oauth2_client.check_redirect_uri(request.data['redirect_uri']):
-            return Response({'error': 'invalid_request'}, status=400)
+            return self.error('invalid_request')
 
         if request.data['grant_type'] != 'authorization_code':
-            return Response({'error': 'unsupported_grant_type'}, status=400)
+            return self.error('unsupported_grant_type')
 
         try:
-            token = OAuth2Authorize.objects.get(code=request.data['code']).access_token
+            authorize = OAuth2Authorize.objects.get(code=request.data['code'])
         except OAuth2Authorize.DoesNotExist:
-            return Response({'error': 'invalid_request'}, status=400)
+            return self.error('invalid_grant', 'code is unknown')
 
-        return Response({'access_token': token, 'expires': '3600'})
+        if (now() - authorize.creation_date).total_seconds() > settings.FARGO_CODE_LIFETIME:
+            return self.error('invalid_grant', 'code is expired')
+
+        return Response({
+            'access_token': authorize.access_token,
+            'expires': settings.FARGO_ACCESS_TOKEN_LIFETIME
+        })
 
 
 get_document_token = GetDocumentTokenView.as_view()

fargo/settings.py

@@ -226,6 +226,9 @@ LOGGING = {
 
 INCLUDE_EDIT_LINK = False
 
+FARGO_CODE_LIFETIME = 300
+FARGO_ACCESS_TOKEN_LIFETIME = 3600
+
 local_settings_file = os.environ.get('FARGO_SETTINGS_FILE',
                                      os.path.join(
                                          os.path.dirname(__file__),