anti
698ecaa322
Stateless JWTs had no revocation path: a stolen token stayed valid for its full 24h even after the victim changed their password, and there was no logout. This lays the foundation for revoking them. - User.tokens_valid_from: per-user bulk-revocation cutoff (compared against the token's iat). RevokedToken(jti PK, exp): single-token denylist, pruned opportunistically on insert so it never outgrows live-but-revoked tokens. - login() now mints a jti; create_access_token already stamps iat/exp. - repo.revoke_token / is_token_revoked / set_tokens_valid_from (abstract + shared sqlmodel impl + DummyRepo coverage stubs). - Centralized validate path in dependencies.py: every auth dependency now resolves the user and fails closed on (1) missing jti (legacy/pre-deploy token -> one forced re-login), (2) iat before the cutoff, (3) a denylisted jti. Denylist lookups ride a 10s membership cache mirroring the user cache. - Contract/fuzz harness seeds its fixed-uuid principal under DECNET_CONTRACT_TEST so its minted token resolves to a live admin user.
105 lines
4.0 KiB
Python
105 lines
4.0 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""User CRUD."""
|
|
from __future__ import annotations
|
|
|
|
from datetime import datetime, timezone
|
|
from typing import Any, Optional
|
|
|
|
from sqlalchemy import delete, select, update
|
|
|
|
from decnet.web.db.models import RevokedToken, User
|
|
|
|
|
|
from decnet.web.db.sqlmodel_repo._helpers import _MixinBase
|
|
|
|
class AuthMixin(_MixinBase):
|
|
"""Mixin: composed onto ``SQLModelRepository``. Expects ``self._session()``.
|
|
|
|
``_ensure_admin_user`` stays in the package ``__init__`` so the
|
|
``DECNET_ADMIN_PASSWORD`` it reads remains addressable at the
|
|
``decnet.web.db.sqlmodel_repo`` module path (test monkeypatch surface).
|
|
"""
|
|
|
|
async def get_user_by_username(self, username: str) -> Optional[dict]:
|
|
async with self._session() as session:
|
|
result = await session.execute(
|
|
select(User).where(User.username == username)
|
|
)
|
|
user = result.scalar_one_or_none()
|
|
return user.model_dump() if user else None
|
|
|
|
async def get_user_by_uuid(self, uuid: str) -> Optional[dict]:
|
|
async with self._session() as session:
|
|
result = await session.execute(
|
|
select(User).where(User.uuid == uuid)
|
|
)
|
|
user = result.scalar_one_or_none()
|
|
return user.model_dump() if user else None
|
|
|
|
async def create_user(self, user_data: dict[str, Any]) -> None:
|
|
async with self._session() as session:
|
|
session.add(User(**user_data))
|
|
await session.commit()
|
|
|
|
async def update_user_password(
|
|
self, uuid: str, password_hash: str, must_change_password: bool = False
|
|
) -> None:
|
|
async with self._session() as session:
|
|
await session.execute(
|
|
update(User)
|
|
.where(User.uuid == uuid)
|
|
.values(
|
|
password_hash=password_hash,
|
|
must_change_password=must_change_password,
|
|
)
|
|
)
|
|
await session.commit()
|
|
|
|
async def list_users(self) -> list[dict]:
|
|
async with self._session() as session:
|
|
result = await session.execute(select(User))
|
|
return [u.model_dump() for u in result.scalars().all()]
|
|
|
|
async def delete_user(self, uuid: str) -> bool:
|
|
async with self._session() as session:
|
|
result = await session.execute(select(User).where(User.uuid == uuid))
|
|
user = result.scalar_one_or_none()
|
|
if not user:
|
|
return False
|
|
await session.delete(user)
|
|
await session.commit()
|
|
return True
|
|
|
|
async def update_user_role(self, uuid: str, role: str) -> None:
|
|
async with self._session() as session:
|
|
await session.execute(
|
|
update(User).where(User.uuid == uuid).values(role=role)
|
|
)
|
|
await session.commit()
|
|
|
|
async def revoke_token(self, jti: str, user_uuid: str, expires_at: datetime) -> None:
|
|
async with self._session() as session:
|
|
# Opportunistic prune — the denylist only needs unexpired tokens, so
|
|
# purge stale rows on every insert instead of a separate vacuum job.
|
|
await session.execute(
|
|
delete(RevokedToken).where(
|
|
RevokedToken.expires_at < datetime.now(timezone.utc)
|
|
)
|
|
)
|
|
if await session.get(RevokedToken, jti) is None:
|
|
session.add(
|
|
RevokedToken(jti=jti, user_uuid=user_uuid, expires_at=expires_at)
|
|
)
|
|
await session.commit()
|
|
|
|
async def is_token_revoked(self, jti: str) -> bool:
|
|
async with self._session() as session:
|
|
return await session.get(RevokedToken, jti) is not None
|
|
|
|
async def set_tokens_valid_from(self, user_uuid: str, ts: datetime) -> None:
|
|
async with self._session() as session:
|
|
await session.execute(
|
|
update(User).where(User.uuid == user_uuid).values(tokens_valid_from=ts)
|
|
)
|
|
await session.commit()
|