anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): jti claim and token-revocation store

Browse Source 
Stateless JWTs had no revocation path: a stolen token stayed valid for
its full 24h even after the victim changed their password, and there was
no logout. This lays the foundation for revoking them.

- User.tokens_valid_from: per-user bulk-revocation cutoff (compared against
  the token's iat). RevokedToken(jti PK, exp): single-token denylist, pruned
  opportunistically on insert so it never outgrows live-but-revoked tokens.
- login() now mints a jti; create_access_token already stamps iat/exp.
- repo.revoke_token / is_token_revoked / set_tokens_valid_from (abstract +
  shared sqlmodel impl + DummyRepo coverage stubs).
- Centralized validate path in dependencies.py: every auth dependency now
  resolves the user and fails closed on (1) missing jti (legacy/pre-deploy
  token -> one forced re-login), (2) iat before the cutoff, (3) a denylisted
  jti. Denylist lookups ride a 10s membership cache mirroring the user cache.
- Contract/fuzz harness seeds its fixed-uuid principal under
  DECNET_CONTRACT_TEST so its minted token resolves to a live admin user.
This commit is contained in:
anti
2026-05-30 18:18:41 -04:00
parent fdb6507c6f
commit 698ecaa322
11 changed files with 392 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
tests/web/test_web_api.py
View File

@@ -16,11 +16,22 @@ from decnet.web.auth import create_access_token
class TestGetCurrentUser:
@pytest.mark.asyncio
async def test_valid_token(self):
# Post token-revocation, get_current_user resolves the user and checks
# the denylist, so a valid token must carry a jti, name a live user, and
# not be revoked.
from decnet.web import dependencies as deps
from decnet.web.dependencies import get_current_user
token = create_access_token({"uuid": "test-uuid-123"})
deps._reset_user_cache()
token = create_access_token({"uuid": "test-uuid-123", "jti": "jti-1"})
request = MagicMock()
request.headers = {"Authorization": f"Bearer {token}"}
result = await get_current_user(request)
user = {
"uuid": "test-uuid-123", "role": "viewer",
"must_change_password": False, "tokens_valid_from": None,
}
with patch.object(deps.repo, "get_user_by_uuid", AsyncMock(return_value=user)), \
patch.object(deps.repo, "is_token_revoked", AsyncMock(return_value=False)):
result = await get_current_user(request)
assert result == "test-uuid-123"
@pytest.mark.asyncio