Skip to content

Custom bearer token expiration validation#475

Merged
MarcelGeo merged 1 commit intomasterfrom
fix_auth_expiration_check
Jul 4, 2025
Merged

Custom bearer token expiration validation#475
MarcelGeo merged 1 commit intomasterfrom
fix_auth_expiration_check

Conversation

@varmar05
Copy link
Collaborator

@varmar05 varmar05 commented Jul 4, 2025

Previously we validated all access tokens with the same expiration value but since SSO we have two types of access token with different expiration period. Therefore, we use expire field to validate if token is still valid (instead of built-in max_age validation).

@varmar05 varmar05 requested review from MarcelGeo and tomasMizera July 4, 2025 06:59
@coveralls
Copy link

coveralls commented Jul 4, 2025

Pull Request Test Coverage Report for Build 16067802947

Details

  • 40 of 40 (100.0%) changed or added relevant lines in 2 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.2%) to 91.925%
Totals Coverage Status
Change from base Build 15999199662: 0.2%
Covered Lines: 7126
Relevant Lines: 7752
💛 - Coveralls

MarcelGeo
MarcelGeo approved these changes Jul 4, 2025
View reviewed changes
Copy link
Collaborator

@MarcelGeo MarcelGeo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, we are now depending on hardocded value in expire. But it's more precise.

@MarcelGeo MarcelGeo merged commit 521a303 into master Jul 4, 2025
4 checks passed
@MarcelGeo MarcelGeo deleted the fix_auth_expiration_check branch July 4, 2025 07:36
tomasMizera
tomasMizera reviewed Jul 4, 2025
View reviewed changes
server/mergin/auth/bearer.py
try:
expire = datetime.fromisoformat(token_data.get("expire"))
except (ValueError, TypeError):
raise BadSignature("Invalid token")
Copy link
Collaborator

@tomasMizera tomasMizera Jul 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we consider this as critical failure and log it so we can find it in logs in case something like this would happen? 🤔

tomasMizera
tomasMizera reviewed Jul 4, 2025
View reviewed changes
server/mergin/auth/bearer.py
except (ValueError, TypeError):
raise BadSignature("Invalid token")

if expire < datetime.now(timezone.utc):
Copy link
Collaborator

@tomasMizera tomasMizera Jul 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When we build the token, we use pytz.utc, here when decoding we use timezone.utc -- I guess that is allright, right @varmar05?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tomasMizera tomasMizera tomasMizera left review comments

@MarcelGeo MarcelGeo MarcelGeo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@varmar05 @coveralls @MarcelGeo @tomasMizera