liz/wikijs-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: revalidate tokens created prior to server startup

Browse Source
This commit is contained in:
NGPixel
2020-06-25 22:04:21 -04:00
parent 92b29d1f06
commit 98f21b9f6a
2 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
server/core/auth.js
View File

@@ -115,27 +115,30 @@ module.exports = {
let mustRevalidate = false let mustRevalidate = false
// Expired but still valid within N days, just renew // Expired but still valid within N days, just renew
if (info instanceof Error && info.name === 'TokenExpiredError' && DateTime.utc().minus(ms(WIKI.config.auth.tokenRenewal)) < DateTime.fromSeconds(info.expiredAt)) { if (info instanceof Error && info.name === 'TokenExpiredError' && DateTime.utc().minus(ms(WIKI.config.auth.tokenRenewal)) < DateTime.fromISO(info.expiredAt)) {
mustRevalidate = true mustRevalidate = true
} }
// Check if user / group is in revokation list // Check if user / group is in revokation list
if (user) { if (user && !mustRevalidate) {
const uRevalidate = WIKI.auth.revokationList.get(`u${_.toString(user.id)}`) const uRevalidate = WIKI.auth.revokationList.get(`u${_.toString(user.id)}`)
if (uRevalidate && user.iat < uRevalidate) { if (uRevalidate && user.iat < uRevalidate) {
mustRevalidate = true mustRevalidate = true
} } else if (DateTime.fromSeconds(user.iat) <= WIKI.startedAt) { // Prevent new / restarted instance from allowing revoked tokens
for (const gid of user.groups) { mustRevalidate = true
const gRevalidate = WIKI.auth.revokationList.get(`g${_.toString(gid)}`) } else {
if (gRevalidate && user.iat < gRevalidate) { for (const gid of user.groups) {
mustRevalidate = true const gRevalidate = WIKI.auth.revokationList.get(`g${_.toString(gid)}`)
if (gRevalidate && user.iat < gRevalidate) {
mustRevalidate = true
break
}
} }
} }
} }
// Revalidate and renew token // Revalidate and renew token
if (mustRevalidate) { if (mustRevalidate) {
console.info('MUST REVALIDATE')
const jwtPayload = jwt.decode(securityHelper.extractJWT(req)) const jwtPayload = jwt.decode(securityHelper.extractJWT(req))
try { try {
const newToken = await WIKI.models.users.refreshToken(jwtPayload.id) const newToken = await WIKI.models.users.refreshToken(jwtPayload.id)

4
server/index.js
View File

@@ -5,6 +5,7 @@
const path = require('path') const path = require('path')
const { nanoid } = require('nanoid') const { nanoid } = require('nanoid')
const { DateTime } = require('luxon')
let WIKI = { let WIKI = {
IS_DEBUG: process.env.NODE_ENV === 'development', IS_DEBUG: process.env.NODE_ENV === 'development',
@@ -14,7 +15,8 @@ let WIKI = {
SERVERPATH: path.join(process.cwd(), 'server'), SERVERPATH: path.join(process.cwd(), 'server'),
Error: require('./helpers/error'), Error: require('./helpers/error'),
configSvc: require('./core/config'), configSvc: require('./core/config'),
kernel: require('./core/kernel') kernel: require('./core/kernel'),
startedAt: DateTime.utc()
} }
global.WIKI = WIKI global.WIKI = WIKI