diff options
| author | John Estabrook <jestabro@vyos.io> | 2022-10-23 11:08:19 -0500 |
|---|---|---|
| committer | John Estabrook <jestabro@vyos.io> | 2022-10-25 10:35:48 -0500 |
| commit | dc37f30a1273c1d3b7949b1d64e60d37da3b9fd4 (patch) | |
| tree | 41a8d17d89117b5e7553e3b2999a2fb9ab8e8e32 /src/services | |
| parent | 28676844e3f4317786e457fcd8651939a05c88ff (diff) | |
| download | vyos-1x-dc37f30a1273c1d3b7949b1d64e60d37da3b9fd4.tar.gz vyos-1x-dc37f30a1273c1d3b7949b1d64e60d37da3b9fd4.zip | |
graphql: T4574: set token expiration time in claims
Diffstat (limited to 'src/services')
| -rw-r--r-- | src/services/api/graphql/graphql/auth_token_mutation.py | 7 | ||||
| -rw-r--r-- | src/services/api/graphql/libs/token_auth.py | 4 | ||||
| -rwxr-xr-x | src/services/vyos-http-api-server | 1 |
3 files changed, 9 insertions, 3 deletions
diff --git a/src/services/api/graphql/graphql/auth_token_mutation.py b/src/services/api/graphql/graphql/auth_token_mutation.py index 33779d4f0..21ac40094 100644 --- a/src/services/api/graphql/graphql/auth_token_mutation.py +++ b/src/services/api/graphql/graphql/auth_token_mutation.py @@ -14,6 +14,7 @@ # along with this library. If not, see <http://www.gnu.org/licenses/>. import jwt +import datetime from typing import Any, Dict from ariadne import ObjectType, UnionType from graphql import GraphQLResolveInfo @@ -30,7 +31,11 @@ def auth_token_resolver(obj: Any, info: GraphQLResolveInfo, data: Dict): passwd = data['password'] secret = state.settings['secret'] - res = generate_token(user, passwd, secret) + exp_interval = int(state.settings['app'].state.vyos_token_exp) + expiration = (datetime.datetime.now(tz=datetime.timezone.utc) + + datetime.timedelta(seconds=exp_interval)) + + res = generate_token(user, passwd, secret, expiration) if res: data['result'] = res return { diff --git a/src/services/api/graphql/libs/token_auth.py b/src/services/api/graphql/libs/token_auth.py index 2d63a1cc7..fafb0f5af 100644 --- a/src/services/api/graphql/libs/token_auth.py +++ b/src/services/api/graphql/libs/token_auth.py @@ -14,7 +14,7 @@ def init_secret(): secret = token_hex(16) state.settings['secret'] = secret -def generate_token(user: str, passwd: str, secret: str) -> dict: +def generate_token(user: str, passwd: str, secret: str, exp: int) -> dict: if user is None or passwd is None: return {} if _check_passwd_pam(user, passwd): @@ -25,7 +25,7 @@ def generate_token(user: str, passwd: str, secret: str) -> dict: app.state.vyos_token_users = {} users = app.state.vyos_token_users user_id = uuid.uuid1().hex - payload_data = {'iss': user, 'sub': user_id} + payload_data = {'iss': user, 'sub': user_id, 'exp': exp} secret = state.settings.get('secret') if secret is None: return { diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server index 840041b73..4af27b949 100755 --- a/src/services/vyos-http-api-server +++ b/src/services/vyos-http-api-server @@ -698,6 +698,7 @@ if __name__ == '__main__': app.state.vyos_introspection = False # default value is merged in conf_mode http-api.py, if not set app.state.vyos_auth_type = server_config['graphql']['authentication']['type'] + app.state.vyos_token_exp = server_config['graphql']['authentication']['expiration'] else: app.state.vyos_graphql = False |