back round 0 view raw

appview/oauth: invalidate sessions if inactive for too long #722

merged
opened by oppi.li targeting master from push-rnnvqlrqspsv

if sessions are inactive for too long, tokens will not be refreshed, and calling authorized xrpc methods will error out with invalid_grant. this changeset does two things:

  • tracks the last time a session was active using a new redis pair: oauth:session_meta:<did>:<session>, this is updated every time SaveSession is called
  • checks for session inactivity every time GetSession is called, and deletes the session if so

this way, GetSession will never return a session with expired tokens.

Signed-off-by: oppiliappan me@oppi.li

options
unified split
Changed files
+116 -12
appview
oauth
oauth.go
store.go
+6 -1
appview/oauth/oauth.go 
···

       
60

       
 

       



     

       
61

       
 

       
	jwksUri := clientUri + "/oauth/jwks.json"


     

       
62

       
 

       



     

       
63

       
-

       
	authStore, err := NewRedisStore(config.Redis.ToURL())


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
64

       
 

       
	if err != nil {


     

       
65

       
 

       
		return nil, err


     

       
66

       
 

       
	}


     
···

       
60

       
 

       



     

       
61

       
 

       
	jwksUri := clientUri + "/oauth/jwks.json"


     

       
62

       
 

       



     

       
63

       
+

       
	authStore, err := NewRedisStore(&RedisStoreConfig{


     

       
64

       
+

       
		RedisURL:                  config.Redis.ToURL(),


     

       
65

       
+

       
		SessionExpiryDuration:     time.Hour * 24 * 90,


     

       
66

       
+

       
		SessionInactivityDuration: time.Hour * 24 * 14,


     

       
67

       
+

       
		AuthRequestExpiryDuration: time.Minute * 30,


     

       
68

       
+

       
	})


     

       
69

       
 

       
	if err != nil {


     

       
70

       
 

       
		return nil, err


     

       
71

       
 

       
	}
+110 -11
appview/oauth/store.go 
···

       
11

       
 

       
	"github.com/redis/go-redis/v9"


     

       
12

       
 

       
)


     

       
13

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
14

       
 

       
// redis-backed implementation of ClientAuthStore.


     

       
15

       
 

       
type RedisStore struct {


     

       
16

       
-

       
	client         *redis.Client


     

       
17

       
-

       
	SessionTTL     time.Duration


     

       
18

       
-

       
	AuthRequestTTL time.Duration


     

       
19

       
 

       
}


     

       
20

       
 

       



     

       
21

       
 

       
var _ oauth.ClientAuthStore = &RedisStore{}


     

       
22

       
 

       



     

       
23

       
-

       
func NewRedisStore(redisURL string) (*RedisStore, error) {


     

       
24

       
-

       
	opts, err := redis.ParseURL(redisURL)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
25

       
 

       
	if err != nil {


     

       
26

       
 

       
		return nil, fmt.Errorf("failed to parse redis URL: %w", err)


     

       
27

       
 

       
	}


     
···

       
37

       
 

       
	}


     

       
38

       
 

       



     

       
39

       
 

       
	return &RedisStore{


     

       
40

       
-

       
		client:         client,


     

       
41

       
-

       
		SessionTTL:     30 * 24 * time.Hour, // 30 days


     

       
42

       
-

       
		AuthRequestTTL: 10 * time.Minute,    // 10 minutes


     

       
43

       
 

       
	}, nil


     

       
44

       
 

       
}


     

       
45

       
 

       



     
···

       
51

       
 

       
	return fmt.Sprintf("oauth:session:%s:%s", did, sessionID)


     

       
52

       
 

       
}


     

       
53

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
54

       
 

       
func authRequestKey(state string) string {


     

       
55

       
 

       
	return fmt.Sprintf("oauth:auth_request:%s", state)


     

       
56

       
 

       
}


     

       
57

       
 

       



     

       
58

       
 

       
func (r *RedisStore) GetSession(ctx context.Context, did syntax.DID, sessionID string) (*oauth.ClientSessionData, error) {


     

       
59

       
 

       
	key := sessionKey(did, sessionID)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
60

       
 

       
	data, err := r.client.Get(ctx, key).Bytes()


     

       
61

       
 

       
	if err == redis.Nil {


     

       
62

       
 

       
		return nil, fmt.Errorf("session not found: %s", did)


     
···

       
75

       
 

       



     

       
76

       
 

       
func (r *RedisStore) SaveSession(ctx context.Context, sess oauth.ClientSessionData) error {


     

       
77

       
 

       
	key := sessionKey(sess.AccountDID, sess.SessionID)


     

       

       

       
     

       
78

       
 

       



     

       
79

       
 

       
	data, err := json.Marshal(sess)


     

       
80

       
 

       
	if err != nil {


     

       
81

       
 

       
		return fmt.Errorf("failed to marshal session: %w", err)


     

       
82

       
 

       
	}


     

       
83

       
 

       



     

       
84

       
-

       
	if err := r.client.Set(ctx, key, data, r.SessionTTL).Err(); err != nil {


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
85

       
 

       
		return fmt.Errorf("failed to save session: %w", err)


     

       
86

       
 

       
	}


     

       
87

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
88

       
 

       
	return nil


     

       
89

       
 

       
}


     

       
90

       
 

       



     

       
91

       
 

       
func (r *RedisStore) DeleteSession(ctx context.Context, did syntax.DID, sessionID string) error {


     

       
92

       
 

       
	key := sessionKey(did, sessionID)


     

       
93

       
-

       
	if err := r.client.Del(ctx, key).Err(); err != nil {


     

       

       

       
     

       

       

       
     

       
94

       
 

       
		return fmt.Errorf("failed to delete session: %w", err)


     

       
95

       
 

       
	}


     

       
96

       
 

       
	return nil


     
···

       
131

       
 

       
		return fmt.Errorf("failed to marshal auth request: %w", err)


     

       
132

       
 

       
	}


     

       
133

       
 

       



     

       
134

       
-

       
	if err := r.client.Set(ctx, key, data, r.AuthRequestTTL).Err(); err != nil {


     

       
135

       
 

       
		return fmt.Errorf("failed to save auth request: %w", err)


     

       
136

       
 

       
	}


     

       
137

       
 

       



     
···

       
11

       
 

       
	"github.com/redis/go-redis/v9"


     

       
12

       
 

       
)


     

       
13

       
 

       



     

       
14

       
+

       
type RedisStoreConfig struct {


     

       
15

       
+

       
	RedisURL string


     

       
16

       
+

       



     

       
17

       
+

       
	// The purpose of these limits is to avoid dead sessions hanging around in the db indefinitely.


     

       
18

       
+

       
	// The durations here should be *at least as long as* the expected duration of the oauth session itself.


     

       
19

       
+

       
	SessionExpiryDuration     time.Duration // duration since session creation (max TTL)


     

       
20

       
+

       
	SessionInactivityDuration time.Duration // duration since last session update


     

       
21

       
+

       
	AuthRequestExpiryDuration time.Duration // duration since auth request creation


     

       
22

       
+

       
}


     

       
23

       
+

       



     

       
24

       
 

       
// redis-backed implementation of ClientAuthStore.


     

       
25

       
 

       
type RedisStore struct {


     

       
26

       
+

       
	client *redis.Client


     

       
27

       
+

       
	cfg    *RedisStoreConfig


     

       

       

       
     

       
28

       
 

       
}


     

       
29

       
 

       



     

       
30

       
 

       
var _ oauth.ClientAuthStore = &RedisStore{}


     

       
31

       
 

       



     

       
32

       
+

       
type sessionMetadata struct {


     

       
33

       
+

       
	CreatedAt time.Time `json:"created_at"`


     

       
34

       
+

       
	UpdatedAt time.Time `json:"updated_at"`


     

       
35

       
+

       
}


     

       
36

       
+

       



     

       
37

       
+

       
func NewRedisStore(cfg *RedisStoreConfig) (*RedisStore, error) {


     

       
38

       
+

       
	if cfg == nil {


     

       
39

       
+

       
		return nil, fmt.Errorf("missing cfg")


     

       
40

       
+

       
	}


     

       
41

       
+

       
	if cfg.RedisURL == "" {


     

       
42

       
+

       
		return nil, fmt.Errorf("missing RedisURL")


     

       
43

       
+

       
	}


     

       
44

       
+

       
	if cfg.SessionExpiryDuration == 0 {


     

       
45

       
+

       
		return nil, fmt.Errorf("missing SessionExpiryDuration")


     

       
46

       
+

       
	}


     

       
47

       
+

       
	if cfg.SessionInactivityDuration == 0 {


     

       
48

       
+

       
		return nil, fmt.Errorf("missing SessionInactivityDuration")


     

       
49

       
+

       
	}


     

       
50

       
+

       
	if cfg.AuthRequestExpiryDuration == 0 {


     

       
51

       
+

       
		return nil, fmt.Errorf("missing AuthRequestExpiryDuration")


     

       
52

       
+

       
	}


     

       
53

       
+

       



     

       
54

       
+

       
	opts, err := redis.ParseURL(cfg.RedisURL)


     

       
55

       
 

       
	if err != nil {


     

       
56

       
 

       
		return nil, fmt.Errorf("failed to parse redis URL: %w", err)


     

       
57

       
 

       
	}


     
···

       
67

       
 

       
	}


     

       
68

       
 

       



     

       
69

       
 

       
	return &RedisStore{


     

       
70

       
+

       
		client: client,


     

       
71

       
+

       
		cfg:    cfg,


     

       

       

       
     

       
72

       
 

       
	}, nil


     

       
73

       
 

       
}


     

       
74

       
 

       



     
···

       
80

       
 

       
	return fmt.Sprintf("oauth:session:%s:%s", did, sessionID)


     

       
81

       
 

       
}


     

       
82

       
 

       



     

       
83

       
+

       
func sessionMetadataKey(did syntax.DID, sessionID string) string {


     

       
84

       
+

       
	return fmt.Sprintf("oauth:session_meta:%s:%s", did, sessionID)


     

       
85

       
+

       
}


     

       
86

       
+

       



     

       
87

       
 

       
func authRequestKey(state string) string {


     

       
88

       
 

       
	return fmt.Sprintf("oauth:auth_request:%s", state)


     

       
89

       
 

       
}


     

       
90

       
 

       



     

       
91

       
 

       
func (r *RedisStore) GetSession(ctx context.Context, did syntax.DID, sessionID string) (*oauth.ClientSessionData, error) {


     

       
92

       
 

       
	key := sessionKey(did, sessionID)


     

       
93

       
+

       
	metaKey := sessionMetadataKey(did, sessionID)


     

       
94

       
+

       



     

       
95

       
+

       
	// Check metadata for inactivity expiry


     

       
96

       
+

       
	metaData, err := r.client.Get(ctx, metaKey).Bytes()


     

       
97

       
+

       
	if err == redis.Nil {


     

       
98

       
+

       
		return nil, fmt.Errorf("session not found: %s", did)


     

       
99

       
+

       
	}


     

       
100

       
+

       
	if err != nil {


     

       
101

       
+

       
		return nil, fmt.Errorf("failed to get session metadata: %w", err)


     

       
102

       
+

       
	}


     

       
103

       
+

       



     

       
104

       
+

       
	var meta sessionMetadata


     

       
105

       
+

       
	if err := json.Unmarshal(metaData, &meta); err != nil {


     

       
106

       
+

       
		return nil, fmt.Errorf("failed to unmarshal session metadata: %w", err)


     

       
107

       
+

       
	}


     

       
108

       
+

       



     

       
109

       
+

       
	// Check if session has been inactive for too long


     

       
110

       
+

       
	inactiveThreshold := time.Now().Add(-r.cfg.SessionInactivityDuration)


     

       
111

       
+

       
	if meta.UpdatedAt.Before(inactiveThreshold) {


     

       
112

       
+

       
		// Session is inactive, delete it


     

       
113

       
+

       
		r.client.Del(ctx, key, metaKey)


     

       
114

       
+

       
		return nil, fmt.Errorf("session expired due to inactivity: %s", did)


     

       
115

       
+

       
	}


     

       
116

       
+

       



     

       
117

       
+

       
	// Get the actual session data


     

       
118

       
 

       
	data, err := r.client.Get(ctx, key).Bytes()


     

       
119

       
 

       
	if err == redis.Nil {


     

       
120

       
 

       
		return nil, fmt.Errorf("session not found: %s", did)


     
···

       
133

       
 

       



     

       
134

       
 

       
func (r *RedisStore) SaveSession(ctx context.Context, sess oauth.ClientSessionData) error {


     

       
135

       
 

       
	key := sessionKey(sess.AccountDID, sess.SessionID)


     

       
136

       
+

       
	metaKey := sessionMetadataKey(sess.AccountDID, sess.SessionID)


     

       
137

       
 

       



     

       
138

       
 

       
	data, err := json.Marshal(sess)


     

       
139

       
 

       
	if err != nil {


     

       
140

       
 

       
		return fmt.Errorf("failed to marshal session: %w", err)


     

       
141

       
 

       
	}


     

       
142

       
 

       



     

       
143

       
+

       
	// Check if session already exists to preserve CreatedAt


     

       
144

       
+

       
	var meta sessionMetadata


     

       
145

       
+

       
	existingMetaData, err := r.client.Get(ctx, metaKey).Bytes()


     

       
146

       
+

       
	if err == redis.Nil {


     

       
147

       
+

       
		// New session


     

       
148

       
+

       
		meta = sessionMetadata{


     

       
149

       
+

       
			CreatedAt: time.Now(),


     

       
150

       
+

       
			UpdatedAt: time.Now(),


     

       
151

       
+

       
		}


     

       
152

       
+

       
	} else if err != nil {


     

       
153

       
+

       
		return fmt.Errorf("failed to check existing session metadata: %w", err)


     

       
154

       
+

       
	} else {


     

       
155

       
+

       
		// Existing session - preserve CreatedAt, update UpdatedAt


     

       
156

       
+

       
		if err := json.Unmarshal(existingMetaData, &meta); err != nil {


     

       
157

       
+

       
			return fmt.Errorf("failed to unmarshal existing session metadata: %w", err)


     

       
158

       
+

       
		}


     

       
159

       
+

       
		meta.UpdatedAt = time.Now()


     

       
160

       
+

       
	}


     

       
161

       
+

       



     

       
162

       
+

       
	// Calculate remaining TTL based on creation time


     

       
163

       
+

       
	remainingTTL := r.cfg.SessionExpiryDuration - time.Since(meta.CreatedAt)


     

       
164

       
+

       
	if remainingTTL <= 0 {


     

       
165

       
+

       
		return fmt.Errorf("session has expired")


     

       
166

       
+

       
	}


     

       
167

       
+

       



     

       
168

       
+

       
	// Use the shorter of: remaining TTL or inactivity duration


     

       
169

       
+

       
	ttl := min(r.cfg.SessionInactivityDuration, remainingTTL)


     

       
170

       
+

       



     

       
171

       
+

       
	// Save session data


     

       
172

       
+

       
	if err := r.client.Set(ctx, key, data, ttl).Err(); err != nil {


     

       
173

       
 

       
		return fmt.Errorf("failed to save session: %w", err)


     

       
174

       
 

       
	}


     

       
175

       
 

       



     

       
176

       
+

       
	// Save metadata


     

       
177

       
+

       
	metaData, err := json.Marshal(meta)


     

       
178

       
+

       
	if err != nil {


     

       
179

       
+

       
		return fmt.Errorf("failed to marshal session metadata: %w", err)


     

       
180

       
+

       
	}


     

       
181

       
+

       
	if err := r.client.Set(ctx, metaKey, metaData, ttl).Err(); err != nil {


     

       
182

       
+

       
		return fmt.Errorf("failed to save session metadata: %w", err)


     

       
183

       
+

       
	}


     

       
184

       
+

       



     

       
185

       
 

       
	return nil


     

       
186

       
 

       
}


     

       
187

       
 

       



     

       
188

       
 

       
func (r *RedisStore) DeleteSession(ctx context.Context, did syntax.DID, sessionID string) error {


     

       
189

       
 

       
	key := sessionKey(did, sessionID)


     

       
190

       
+

       
	metaKey := sessionMetadataKey(did, sessionID)


     

       
191

       
+

       



     

       
192

       
+

       
	if err := r.client.Del(ctx, key, metaKey).Err(); err != nil {


     

       
193

       
 

       
		return fmt.Errorf("failed to delete session: %w", err)


     

       
194

       
 

       
	}


     

       
195

       
 

       
	return nil


     
···

       
230

       
 

       
		return fmt.Errorf("failed to marshal auth request: %w", err)


     

       
231

       
 

       
	}


     

       
232

       
 

       



     

       
233

       
+

       
	if err := r.client.Set(ctx, key, data, r.cfg.AuthRequestExpiryDuration).Err(); err != nil {


     

       
234

       
 

       
		return fmt.Errorf("failed to save auth request: %w", err)


     

       
235

       
 

       
	}


     

       
236