Improve session handling

OpenSlides · Dec 5, 2023 · 455f5ea · 455f5ea
1 parent 86b7892
commit 455f5ea
Show file tree

Hide file tree

Showing 31 changed files with 330 additions and 66 deletions.
diff --git a/Dockerfile.test b/Dockerfile.test
@@ -24,6 +24,8 @@ COPY auth/nodemon.json ./
 COPY auth/tsconfig*.json ./
 COPY auth/wait-for.sh ./
 
+RUN chmod 777 -R .
+
 EXPOSE 9004
 
 ENV OPENSLIDES_DEVELOPMENT 1

diff --git a/Makefile b/Makefile
@@ -7,17 +7,16 @@ build-dev:
 build-test:
 	docker build -t openslides-auth-dev -f Dockerfile.test .
 
-run-dev: | build-dev
+run-dev-standalone: | build-dev
 	docker-compose -f docker-compose.dev.yml up
 	stop-dev
 
 run-pre-test: | build-test
 	docker-compose -f docker-compose.dev.yml up -d
 	docker-compose -f docker-compose.dev.yml exec -T auth ./wait-for.sh auth:9004
 
-run-bash: | run-pre-test
-	docker-compose -f docker-compose.dev.yml exec auth sh
-	docker-compose -f docker-compose.dev.yml down
+run-bash run-dev: | run-pre-test
+	USER_ID=$$(id -u $${USER}) GROUP_ID=$$(id -g $${USER}) docker-compose -f docker-compose.dev.yml exec auth sh
 
 run-check-lint:
 	docker-compose -f docker-compose.dev.yml exec -T auth npm run lint-check

diff --git a/auth/libraries/pip-auth/authlib/auth_handler.py b/auth/libraries/pip-auth/authlib/auth_handler.py
@@ -3,8 +3,11 @@
 from requests import Response
 
 from .constants import ANONYMOUS_USER
+from .database import Database
+from .exceptions import AuthorizationException
 from .hashing_handler import HashingHandler
 from .http_handler import HttpHandler
+from .session_handler import SessionHandler
 from .token_factory import TokenFactory
 from .validator import Validator
 
@@ -17,12 +20,16 @@ class AuthHandler:
     optionally be passed.
     """
 
+    TOKEN_DB_KEY = "tokens"
+
     def __init__(self, debug_fn: Any = print) -> None:
         self.debug_fn = debug_fn
         self.http_handler = HttpHandler(debug_fn)
         self.validator = Validator(self.http_handler, debug_fn)
         self.token_factory = TokenFactory(self.http_handler, debug_fn)
         self.hashing_handler = HashingHandler()
+        self.database = Database(AuthHandler.TOKEN_DB_KEY, debug_fn)
+        self.session_handler = SessionHandler(debug_fn)
 
     def authenticate(
         self, access_token: Optional[str], refresh_id: Optional[str]
@@ -64,4 +71,11 @@ def create_authorization_token(self, user_id: int, email: str) -> Response:
         return self.token_factory.create(user_id, email)
 
     def verify_authorization_token(self, authorization_token: str) -> Tuple[int, str]:
-        return self.validator.verify_authorization_token(authorization_token)
+        if self.database.get(authorization_token):
+            raise AuthorizationException("Token is already used")
+        result = self.validator.verify_authorization_token(authorization_token)
+        self.database.set(authorization_token, True, True)
+        return result
+
+    def clear_all_sessions(self, access_token: str, refresh_id: str) -> None:
+        return self.session_handler.clear_all_sessions(access_token, refresh_id)
diff --git a/auth/libraries/pip-auth/authlib/constants.py b/auth/libraries/pip-auth/authlib/constants.py
@@ -3,3 +3,5 @@
 COOKIE_NAME = "refreshId"
 USER_ID_PROPERTY = "userId"
 ANONYMOUS_USER = 0
+
+PASSWORD_RESET_TOKEN_EXPIRATION_TIME = 600
diff --git a/auth/libraries/pip-auth/authlib/database.py b/auth/libraries/pip-auth/authlib/database.py
@@ -0,0 +1,36 @@
+import json
+import os
+from typing import Any
+
+import redis
+
+from .constants import PASSWORD_RESET_TOKEN_EXPIRATION_TIME
+
+
+class Database:
+    AUTH_PREFIX = "auth"
+
+    def __init__(self, prefix: str, debug_fn: Any = print) -> None:
+        self.prefix = prefix
+        self.debug_fn = debug_fn
+        host = os.environ.get("CACHE_HOST", "localhost")
+        port = int(os.environ.get("CACHE_PORT", 6379))
+        self.redis = redis.Redis(host=host, port=port)
+
+    def set(self, key: str, obj: Any, expire: bool = False) -> None:
+        redisKey = self.getPrefixedKey(key)
+        self.redis.hset(redisKey, redisKey, json.dumps(obj))
+        if expire:
+            self.redis.expire(redisKey, PASSWORD_RESET_TOKEN_EXPIRATION_TIME)
+
+    def get(self, key: str) -> Any:
+        redisKey = self.getPrefixedKey(key)
+        data = self.redis.hget(redisKey, redisKey)
+        if data:
+            return json.loads(data)
+
+    def getPrefix(self) -> str:
+        return f"{Database.AUTH_PREFIX}:{self.prefix}"
+
+    def getPrefixedKey(self, key: str) -> str:
+        return f"{self.getPrefix()}:{key}"
diff --git a/auth/libraries/pip-auth/authlib/exceptions.py b/auth/libraries/pip-auth/authlib/exceptions.py
@@ -14,6 +14,11 @@ def __init__(self, message: str) -> None:
         super().__init__(message)
 
 
+class AuthorizationException(BaseException):
+    def __init__(self, message: str) -> None:
+        super().__init__(message)
+
+
 class SecretException(BaseException):
     def __init__(self, message: str) -> None:
         super().__init__(message)

diff --git a/auth/libraries/pip-auth/authlib/http_handler.py b/auth/libraries/pip-auth/authlib/http_handler.py
@@ -1,8 +1,10 @@
 import os
 from typing import Any
+from urllib import parse
 
 import requests
 
+from .constants import AUTHENTICATION_HEADER, COOKIE_NAME
 from .exceptions import AuthenticateException
 
 
@@ -21,23 +23,31 @@ def get_endpoint(self, debug_fn: Any = print) -> str:
     def send_request(
         self, path: str, payload=None, headers=None, cookies=None
     ) -> requests.Response:
-        try:
-            url = f"{self.auth_endpoint}/system/auth{self.format_url(path)}"
-            self.debug_fn(f"Send request to {url}")
-            response = requests.post(
-                url, data=payload, headers=headers, cookies=cookies
-            )
-        except requests.exceptions.ConnectionError as e:
-            raise AuthenticateException(
-                f"Cannot reach the authentication service on {url}. Error: {e}"
-            )
-        return response
+        path = f"/system/auth{self.format_url(path)}"
+        return self.__send_request(path, payload, headers, cookies)
 
     def send_internal_request(
         self, path: str, payload=None, headers=None, cookies=None
+    ) -> requests.Response:
+        path = f"/internal/auth{self.format_url(path)}"
+        return self.__send_request(path, payload, headers, cookies)
+
+    def send_secure_request(
+        self, path: str, token: str, cookie: str, payload=None
+    ) -> requests.Response:
+        path = f"/system/auth/secure{self.format_url(path)}"
+        return self.__send_request(
+            path,
+            payload,
+            {AUTHENTICATION_HEADER: token},
+            {COOKIE_NAME: parse.quote(cookie)},
+        )
+
+    def __send_request(
+        self, path: str, payload: Any, headers: Any, cookies: Any
     ) -> requests.Response:
         try:
-            url = f"{self.auth_endpoint}/internal/auth{self.format_url(path)}"
+            url = f"{self.auth_endpoint}{path}"
             response = requests.post(
                 url, data=payload, headers=headers, cookies=cookies
             )

diff --git a/auth/libraries/pip-auth/authlib/message_bus.py b/auth/libraries/pip-auth/authlib/message_bus.py
@@ -0,0 +1,31 @@
+import os
+from collections import defaultdict
+from time import time
+from typing import Any, Dict, Optional
+
+import redis
+
+
+class MessageBus:
+    def __init__(self, debug_fn: Any = print) -> None:
+        self.debug_fn = debug_fn
+        host = os.environ.get("MESSAGE_BUS_HOST", "localhost")
+        port = int(os.environ.get("MESSAGE_BUS_PORT", 6379))
+        self.redis = redis.Redis(host=host, port=port)
+        self.last_ids: Dict[str, str] = defaultdict(lambda: "0-0")
+
+    def xread(self, topic: str, max_age: Optional[int] = None) -> Any:
+        last_id = self.last_ids[topic]
+        last_timestamp = int(last_id.split("-")[0])
+        if max_age:
+            min_timestamp = round((time() - max_age) * 1000)
+            if min_timestamp > last_timestamp:
+                last_id = str(min_timestamp)
+        response = self.redis.xread({topic: last_id})
+        if response:
+            entries = response[0][1]
+            self.last_ids[topic] = entries[-1][0].decode()
+            return entries
+        else:
+            self.last_ids[topic] = last_id
+            return []
diff --git a/auth/libraries/pip-auth/authlib/session_handler.py b/auth/libraries/pip-auth/authlib/session_handler.py
@@ -0,0 +1,58 @@
+from time import time
+from typing import Any, Dict, Tuple
+
+from ordered_set import OrderedSet
+
+from .http_handler import HttpHandler
+from .message_bus import MessageBus
+
+
+class Session:
+    id: str
+    timestamp: int
+
+    def __init__(self, id: str, timestamp: int = 0) -> None:
+        self.id = id
+        self.timestamp = timestamp
+
+    def __eq__(self, other):
+        return isinstance(other, Session) and self.id == other.id
+
+    def __hash__(self):
+        return hash(self.id)
+
+
+class SessionHandler:
+    LOGOUT_TOPIC = "logout"
+    PRUNE_TIME = int(600 * 1.1)
+
+    invalid_sessions: OrderedSet[Session]
+
+    def __init__(self, debug_fn: Any = print) -> None:
+        self.debug_fn = debug_fn
+        self.http_handler = HttpHandler(debug_fn)
+        self.message_bus = MessageBus(debug_fn)
+        self.invalid_sessions = OrderedSet()
+
+    def update_invalid_sessions(self) -> None:
+        if len(self.invalid_sessions):
+            index = len(self.invalid_sessions) // 2
+            median = self.invalid_sessions[index]
+            if median.timestamp / 1000 < time() - self.PRUNE_TIME:
+                self.invalid_sessions = self.invalid_sessions[index + 1 :]
+        new_logouts = self.message_bus.xread(self.LOGOUT_TOPIC, self.PRUNE_TIME)
+        self.invalid_sessions.update(
+            [self.create_session(logout) for logout in new_logouts]
+        )
+
+    def create_session(self, logout_data: Tuple[bytes, Dict[bytes, bytes]]) -> Session:
+        timestamp = int(logout_data[0].decode().split("-")[0])
+        session_id = logout_data[1][b"sessionId"].decode()
+        return Session(session_id, timestamp)
+
+    def is_session_invalid(self, session_id: str) -> bool:
+        self.update_invalid_sessions()
+        return Session(session_id) in self.invalid_sessions
+
+    def clear_all_sessions(self, token: str, cookie: str) -> None:
+        self.http_handler.send_secure_request("clear-all-sessions", token, cookie)
diff --git a/auth/libraries/pip-auth/authlib/validator.py b/auth/libraries/pip-auth/authlib/validator.py
@@ -10,6 +10,7 @@
     InvalidCredentialsException,
 )
 from .http_handler import HttpHandler
+from .session_handler import SessionHandler
 
 
 class Validator:
@@ -22,6 +23,7 @@ def __init__(self, http_handler: HttpHandler, debug_fn: Any = print) -> None:
         self.http_handler = http_handler
         self.debug_fn = debug_fn
         self.environment = Environment(debug_fn)
+        self.session_handler = SessionHandler(debug_fn)
 
     def verify(
         self, token_encoded: str, cookie_encoded: str
@@ -32,8 +34,8 @@ def verify(
         read from the decoded jwt contained in the token.
         """
         self.debug_fn("Validator.verify")
-        self.__assert_instance_of_encoded_jwt(token_encoded, "Token")
-        self.__assert_instance_of_encoded_jwt(cookie_encoded, "Cookie")
+        self.__assert_instance_of_encoded_jwt(token_encoded)
+        self.__assert_instance_of_encoded_jwt(cookie_encoded)
         to_execute = lambda: [self.__verify_ticket(token_encoded, cookie_encoded), None]
         to_fallback = lambda: self.__verify_ticket_from_auth_service(
             token_encoded, cookie_encoded
@@ -58,6 +60,9 @@ def verify_only_cookie(self, cookie_encoded: str) -> int:
             cookie_encoded, self.environment.get_cookie_secret()
         )
         cookie = self.__exception_handler(get_cookie)
+        session_id = cookie.get("sessionId")
+        if self.session_handler.is_session_invalid(session_id):
+            raise AuthenticateException("The session is invalid")
         user_id = cookie.get(USER_ID_PROPERTY)
         if not isinstance(user_id, int):
             raise AuthenticateException("user_id is not an int")
@@ -71,6 +76,9 @@ def verify_authorization_token(self, authorization_token: str) -> Tuple[int, str
             authorization_token, self.environment.get_token_secret()
         )
         token = self.__exception_handler(get_token)
+        session_id = token.get("sessionId")
+        if self.session_handler.is_session_invalid(session_id):
+            raise AuthenticateException("The session is invalid")
         user_id = token.get(USER_ID_PROPERTY)
         email = token.get("email")
         if not isinstance(user_id, str):
@@ -83,16 +91,18 @@ def __verify_ticket(self, token_encoded: str, cookie_encoded: str) -> int:
         self.debug_fn("Validator.__verify_ticket")
         token_encoded = self.__get_jwt_from_bearer_jwt(token_encoded, "token")
         cookie_encoded = self.__get_jwt_from_bearer_jwt(cookie_encoded, "cookie")
-        # this may raise an ExpiredSignatureError. We check,
-        # if the cookies signature is valid
+        # check whether the cookie signature is valid
         self.__decode(cookie_encoded, self.environment.get_cookie_secret())
         token = self.__decode(token_encoded, self.environment.get_token_secret())
+        session_id = token["sessionId"]
+        if self.session_handler.is_session_invalid(session_id):
+            raise AuthenticateException("The session is invalid")
         user_id = token.get(USER_ID_PROPERTY)
         if not isinstance(user_id, int):
             raise AuthenticateException("user_id is not an int")
         return user_id
 
-    def __assert_instance_of_encoded_jwt(self, jwt: str, name: str = "jwt") -> None:
+    def __assert_instance_of_encoded_jwt(self, jwt: str) -> None:
         self.debug_fn("Validator.__assert_instance_of_encoded_jwt")
         if not isinstance(jwt, str):
             error_message = f"{jwt} is from type {type(jwt)} -- expected: string"
@@ -168,27 +178,29 @@ def __handle_unhandled_exception(self, exception: Any) -> None:
         self.debug_fn("Validator.__handle_unhandled_exception")
         if isinstance(exception, jwt.exceptions.ExpiredSignatureError):
             raise InvalidCredentialsException("The jwt is expired")
-        if isinstance(exception, jwt.exceptions.InvalidSignatureError):
+        elif isinstance(exception, jwt.exceptions.InvalidSignatureError):
             raise InvalidCredentialsException("The signature of the jwt is invalid")
-        if isinstance(exception, jwt.exceptions.InvalidTokenError):
+        elif isinstance(exception, jwt.exceptions.InvalidTokenError):
             raise InvalidCredentialsException("The jwt is invalid")
-        if isinstance(exception, jwt.exceptions.DecodeError):
+        elif isinstance(exception, jwt.exceptions.DecodeError):
             raise InvalidCredentialsException("The jwt is invalid")
-        if isinstance(exception, jwt.exceptions.InvalidAudienceError):
+        elif isinstance(exception, jwt.exceptions.InvalidAudienceError):
             raise InvalidCredentialsException("The audience of the jwt is invalid")
-        if isinstance(exception, jwt.exceptions.InvalidAlgorithmError):
+        elif isinstance(exception, jwt.exceptions.InvalidAlgorithmError):
             raise InvalidCredentialsException("Unsupported algorithm detected")
-        if isinstance(exception, jwt.exceptions.InvalidIssuerError):
+        elif isinstance(exception, jwt.exceptions.InvalidIssuerError):
             raise InvalidCredentialsException("Wrong issuer detected")
-        if isinstance(exception, jwt.exceptions.InvalidIssuedAtError):
+        elif isinstance(exception, jwt.exceptions.InvalidIssuedAtError):
             raise InvalidCredentialsException("The 'iat'-timestamp is in the future")
-        if isinstance(exception, jwt.exceptions.ImmatureSignatureError):
+        elif isinstance(exception, jwt.exceptions.ImmatureSignatureError):
             raise InvalidCredentialsException("The 'nbf'-timestamp is in the future")
-        if isinstance(exception, jwt.exceptions.MissingRequiredClaimError):
+        elif isinstance(exception, jwt.exceptions.MissingRequiredClaimError):
             raise InvalidCredentialsException(
                 "The jwt does not contain the required fields"
             )
-        if isinstance(exception, jwt.exceptions.InvalidKeyError):
+        elif isinstance(exception, jwt.exceptions.InvalidKeyError):
             raise InvalidCredentialsException(
                 "The specified key for the jwt has a wrong format"
             )
+        else:
+            raise exception
diff --git a/auth/libraries/pip-auth/py.typed b/auth/libraries/pip-auth/py.typed
diff --git a/auth/libraries/pip-auth/requirements.txt b/auth/libraries/pip-auth/requirements.txt
@@ -1,4 +1,6 @@
+argon2-cffi==23.1.0
+ordered-set==4.1.0
 pyjwt==2.6.0
+redis==4.6.0
 requests==2.31.0
 simplejson==3.18.0
-argon2-cffi==23.1.0
diff --git a/auth/libraries/pip-auth/requirements_development.txt b/auth/libraries/pip-auth/requirements_development.txt
@@ -5,4 +5,5 @@ isort==5.11.3
 mypy==0.991
 pytest==7.2.0
 
+types-redis==4.6.0.11
 types-requests==2.28.1