summary refs log tree commit diff
path: root/synapse/api/auth.py
diff options
context:
space:
mode:
authorRichard van der Hoff <1389908+richvdh@users.noreply.github.com>2019-07-12 17:26:02 +0100
committerGitHub <noreply@github.com>2019-07-12 17:26:02 +0100
commit5f158ec039e4753959aad9b8d288b3d8cb4959a1 (patch)
tree5365e3257124ee89e8ef0026ffc6dd5ef4b153fc /synapse/api/auth.py
parentfix typo: backgroud -> background (diff)
downloadsynapse-5f158ec039e4753959aad9b8d288b3d8cb4959a1.tar.xz
Implement access token expiry (#5660)
Record how long an access token is valid for, and raise a soft-logout once it
expires.
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r--synapse/api/auth.py12
1 files changed, 12 insertions, 0 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index afc6400948..d9e943c39c 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -319,6 +319,17 @@ class Auth(object):
             # first look in the database
             r = yield self._look_up_user_by_access_token(token)
             if r:
+                valid_until_ms = r["valid_until_ms"]
+                if (
+                    valid_until_ms is not None
+                    and valid_until_ms < self.clock.time_msec()
+                ):
+                    # there was a valid access token, but it has expired.
+                    # soft-logout the user.
+                    raise InvalidClientTokenError(
+                        msg="Access token has expired", soft_logout=True
+                    )
+
                 defer.returnValue(r)
 
         # otherwise it needs to be a valid macaroon
@@ -505,6 +516,7 @@ class Auth(object):
             "token_id": ret.get("token_id", None),
             "is_guest": False,
             "device_id": ret.get("device_id"),
+            "valid_until_ms": ret.get("valid_until_ms"),
         }
         defer.returnValue(user_info)