diff options
| author | Richard van der Hoff <1389908+richvdh@users.noreply.github.com> | 2019-07-12 17:26:02 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-07-12 17:26:02 +0100 |
| commit | 5f158ec039e4753959aad9b8d288b3d8cb4959a1 (patch) | |
| tree | 5365e3257124ee89e8ef0026ffc6dd5ef4b153fc /synapse/api | |
| parent | fix typo: backgroud -> background (diff) | |
| download | synapse-5f158ec039e4753959aad9b8d288b3d8cb4959a1.tar.xz | |
Implement access token expiry (#5660)
Record how long an access token is valid for, and raise a soft-logout once it expires.
Diffstat (limited to 'synapse/api')
| -rw-r--r-- | synapse/api/auth.py | 12 | ||||
| -rw-r--r-- | synapse/api/errors.py | 8 |
2 files changed, 19 insertions, 1 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index afc6400948..d9e943c39c 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -319,6 +319,17 @@ class Auth(object): # first look in the database r = yield self._look_up_user_by_access_token(token) if r: + valid_until_ms = r["valid_until_ms"] + if ( + valid_until_ms is not None + and valid_until_ms < self.clock.time_msec() + ): + # there was a valid access token, but it has expired. + # soft-logout the user. + raise InvalidClientTokenError( + msg="Access token has expired", soft_logout=True + ) + defer.returnValue(r) # otherwise it needs to be a valid macaroon @@ -505,6 +516,7 @@ class Auth(object): "token_id": ret.get("token_id", None), "is_guest": False, "device_id": ret.get("device_id"), + "valid_until_ms": ret.get("valid_until_ms"), } defer.returnValue(user_info) diff --git a/synapse/api/errors.py b/synapse/api/errors.py index 41fd04cd54..a6e753c30c 100644 --- a/synapse/api/errors.py +++ b/synapse/api/errors.py @@ -245,8 +245,14 @@ class MissingClientTokenError(InvalidClientCredentialsError): class InvalidClientTokenError(InvalidClientCredentialsError): """Raised when we didn't understand the access token in a request""" - def __init__(self, msg="Unrecognised access token"): + def __init__(self, msg="Unrecognised access token", soft_logout=False): super().__init__(msg=msg, errcode="M_UNKNOWN_TOKEN") + self._soft_logout = soft_logout + + def error_dict(self): + d = super().error_dict() + d["soft_logout"] = self._soft_logout + return d class ResourceLimitError(SynapseError): |