summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJohn Estabrook <jestabro@vyos.io>2022-10-23 11:08:19 -0500
committerJohn Estabrook <jestabro@vyos.io>2022-10-25 10:35:48 -0500
commitdc37f30a1273c1d3b7949b1d64e60d37da3b9fd4 (patch)
tree41a8d17d89117b5e7553e3b2999a2fb9ab8e8e32 /src
parent28676844e3f4317786e457fcd8651939a05c88ff (diff)
downloadvyos-1x-dc37f30a1273c1d3b7949b1d64e60d37da3b9fd4.tar.gz
vyos-1x-dc37f30a1273c1d3b7949b1d64e60d37da3b9fd4.zip
graphql: T4574: set token expiration time in claims
Diffstat (limited to 'src')
-rw-r--r--src/services/api/graphql/graphql/auth_token_mutation.py7
-rw-r--r--src/services/api/graphql/libs/token_auth.py4
-rwxr-xr-xsrc/services/vyos-http-api-server1
3 files changed, 9 insertions, 3 deletions
diff --git a/src/services/api/graphql/graphql/auth_token_mutation.py b/src/services/api/graphql/graphql/auth_token_mutation.py
index 33779d4f0..21ac40094 100644
--- a/src/services/api/graphql/graphql/auth_token_mutation.py
+++ b/src/services/api/graphql/graphql/auth_token_mutation.py
@@ -14,6 +14,7 @@
# along with this library. If not, see <http://www.gnu.org/licenses/>.
import jwt
+import datetime
from typing import Any, Dict
from ariadne import ObjectType, UnionType
from graphql import GraphQLResolveInfo
@@ -30,7 +31,11 @@ def auth_token_resolver(obj: Any, info: GraphQLResolveInfo, data: Dict):
passwd = data['password']
secret = state.settings['secret']
- res = generate_token(user, passwd, secret)
+ exp_interval = int(state.settings['app'].state.vyos_token_exp)
+ expiration = (datetime.datetime.now(tz=datetime.timezone.utc) +
+ datetime.timedelta(seconds=exp_interval))
+
+ res = generate_token(user, passwd, secret, expiration)
if res:
data['result'] = res
return {
diff --git a/src/services/api/graphql/libs/token_auth.py b/src/services/api/graphql/libs/token_auth.py
index 2d63a1cc7..fafb0f5af 100644
--- a/src/services/api/graphql/libs/token_auth.py
+++ b/src/services/api/graphql/libs/token_auth.py
@@ -14,7 +14,7 @@ def init_secret():
secret = token_hex(16)
state.settings['secret'] = secret
-def generate_token(user: str, passwd: str, secret: str) -> dict:
+def generate_token(user: str, passwd: str, secret: str, exp: int) -> dict:
if user is None or passwd is None:
return {}
if _check_passwd_pam(user, passwd):
@@ -25,7 +25,7 @@ def generate_token(user: str, passwd: str, secret: str) -> dict:
app.state.vyos_token_users = {}
users = app.state.vyos_token_users
user_id = uuid.uuid1().hex
- payload_data = {'iss': user, 'sub': user_id}
+ payload_data = {'iss': user, 'sub': user_id, 'exp': exp}
secret = state.settings.get('secret')
if secret is None:
return {
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
index 840041b73..4af27b949 100755
--- a/src/services/vyos-http-api-server
+++ b/src/services/vyos-http-api-server
@@ -698,6 +698,7 @@ if __name__ == '__main__':
app.state.vyos_introspection = False
# default value is merged in conf_mode http-api.py, if not set
app.state.vyos_auth_type = server_config['graphql']['authentication']['type']
+ app.state.vyos_token_exp = server_config['graphql']['authentication']['expiration']
else:
app.state.vyos_graphql = False