Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#628] Clean up stored auth tokens #627

Open
wants to merge 58 commits into
base: develop
Choose a base branch
from
Open

[#628] Clean up stored auth tokens #627

wants to merge 58 commits into from

Conversation

roberlander2
Copy link
Contributor

@roberlander2 roberlander2 commented Jan 3, 2023
edited
Loading

Description

This PR encrypts OIDC refresh tokens and hashes Core BB refresh tokens in login session documents. A <sessionID>: prefix has been added to Core BB refresh tokens sent in login and refresh responses, and OIDC refresh tokens are no longer sent in login and refresh responses. It also implements a session ID cache to rate limit refresh attempts for session IDs known to fail a refresh.
Depends on rokwire/core-auth-library-go#86.

Resolves: #628

Review Time Estimate

Please give your idea of how soon this pull request needs to be reviewed by selecting one of the options below. This can be based on the criticality of the issue at hand and/or other relevant factors.

  • Immediately
  • Within a week
  • When possible

Type of changes

Please select a relevant option:

  • Bug fix (non-breaking change which fixes an issue).
  • New feature (non-breaking change which adds functionality).
  • Breaking change (fix or feature that would cause existing functionality to not work as expected).
  • Other (any another change that does not fall in one of the above categories.)

Checklist:

Please select all applicable options:

  • I have signed the Rokwire Contributor License Agreement (CLA). (Any contributor who is not an employee of the University of Illinois whose official duties include contributing to the Rokwire software, or who is not paid by the Rokwire project, needs to sign the CLA before their contribution can be accepted.)
  • I have updated the CHANGELOG.
  • I have read the Contributor Guidelines.
  • I have performed a self-review of my own code.
  • I have commented my code, particularly in hard-to-understand areas.
  • My change requires updating the documentation.
  • I have made necessary changes to the documentation.
  • I have added tests related to my changes.
  • My changes generate no new warnings.
  • New and existing unit tests pass locally with my changes.
  • Any dependent changes have been merged and published in downstream modules.

@roberlander2
update logging library to v2
257fde6
@roberlander2
revert testing changes [#624]
9a91e96
@roberlander2
upgrade core-auth-library-go to v2.1.0, add empty enc APIs policy [#624]
f02cdb6
@roberlander2
remove individual web auth entities, use claimsCheck functions
7826b59
@roberlander2
upgrade auth-lib and logging-lib versions [#624]
d88a78a
@roberlander2
clean up unnecessary schema files, upgrade dependencies, trouble with…
02b4249 
… openapi3 example validation [#624]
@roberlander2
downgrade openapi to 0.110.0, remove more unnecessary schemas [#624]
7910450
@roberlander2
update error messages with new logutils strings [#624]
d096c13
@roberlander2
update swagger docs to only use yaml syntax [#624]
6bccfd9
@roberlander2
update changelog
50b78b0
@roberlander2
fix typo
526f402
@roberlander2
logging adjustments, fix comment
9754a25
@roberlander2
bug fixes
2baa253
@roberlander2
do not store access tokens in DB, encrypt oidc tokens in login sessio…
2812529 
…n params
@roberlander2
return raw oidc tokens in login, refresh responses, only store encryp…
d1ac3bb 
…ted refresh token, add decryption function
@roberlander2
remove whitespace from decrypted refresh tokens
92382e2
@roberlander2
store hashed refresh tokens, prefix refresh tokens with session ID, r…
1f955bc 
…emove some refresh token logging
@roberlander2
first implementation of session ID rate limit
fe5807b
@roberlander2
delete login session on rate limit hit
037fa1c
@roberlander2
add allow legacy refresh flag to env vars, don't send oidc refresh to…
4c37c96 
…kens to client
@roberlander2 roberlander2 self-assigned this Jan 3, 2023
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 3, 2023
View reviewed changes
utils/utils.go Fixed Show fixed Hide fixed
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 3, 2023
View reviewed changes
utils/utils.go Fixed Show fixed Hide fixed
@roberlander2 roberlander2 requested a review from shurwit February 7, 2023 22:46
shurwit
shurwit previously approved these changes Feb 10, 2023
View reviewed changes
Copy link
Collaborator

@shurwit shurwit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @roberlander2, LGTM!

@petyos, please take a look when you get a chance. Thanks!

@roberlander2 roberlander2 requested a review from shurwit February 23, 2023 20:26
@shurwit shurwit mentioned this pull request Sep 28, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petyos petyos Awaiting requested review from petyos petyos is a code owner

@shurwit shurwit Awaiting requested review from shurwit shurwit is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@roberlander2 roberlander2

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[TASK] Clean up stored auth tokens
2 participants
@roberlander2 @shurwit