anti
9fc489258b
A stolen JWT used to survive a password reset for its full 24h. Now every session-invalidating change moves the user's tokens_valid_from cutoff to 'now', so all of that user's prior tokens 401 on next use: - self change-password, admin reset-password, role change all bump the cutoff (delete needs no bump: the row is gone, so the user lookup 401s). - Cutoff is compared against the token's iat floored to whole seconds, so a re-login in the same second as the change isn't caught by its own revocation (the cost is a <=1s grey zone on same-second-old tokens). - Per-user: changing one user never revokes another.
155 lines
5.1 KiB
Python
155 lines
5.1 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
import uuid as _uuid
|
|
from datetime import datetime, timezone
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException
|
|
|
|
from decnet.telemetry import traced as _traced
|
|
from decnet.web.auth import ahash_password
|
|
from decnet.web.dependencies import require_admin, invalidate_user_cache, repo
|
|
from decnet.web.router.config.api_get_config import invalidate_list_users_cache
|
|
from decnet.web.db.models import (
|
|
CreateUserRequest,
|
|
MessageResponse,
|
|
ResetUserPasswordRequest,
|
|
UpdateUserRoleRequest,
|
|
UserResponse,
|
|
)
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
@router.post(
|
|
"/config/users",
|
|
tags=["Configuration"],
|
|
response_model=UserResponse,
|
|
responses={
|
|
400: {"description": "Bad Request (e.g. malformed JSON)"},
|
|
401: {"description": "Could not validate credentials"},
|
|
403: {"description": "Admin access required"},
|
|
409: {"description": "Username already exists"},
|
|
422: {"description": "Validation error"},
|
|
},
|
|
)
|
|
@_traced("api.create_user")
|
|
async def api_create_user(
|
|
req: CreateUserRequest,
|
|
admin: dict = Depends(require_admin),
|
|
) -> UserResponse:
|
|
existing = await repo.get_user_by_username(req.username)
|
|
if existing:
|
|
raise HTTPException(status_code=409, detail="Username already exists")
|
|
|
|
user_uuid = str(_uuid.uuid4())
|
|
await repo.create_user({
|
|
"uuid": user_uuid,
|
|
"username": req.username,
|
|
"password_hash": await ahash_password(req.password),
|
|
"role": req.role,
|
|
"must_change_password": True, # nosec B105 — not a password
|
|
})
|
|
invalidate_list_users_cache()
|
|
return UserResponse(
|
|
uuid=user_uuid,
|
|
username=req.username,
|
|
role=req.role,
|
|
must_change_password=True,
|
|
)
|
|
|
|
|
|
@router.delete(
|
|
"/config/users/{user_uuid}",
|
|
tags=["Configuration"],
|
|
response_model=MessageResponse,
|
|
responses={
|
|
401: {"description": "Could not validate credentials"},
|
|
403: {"description": "Admin access required / cannot delete self"},
|
|
404: {"description": "User not found"},
|
|
},
|
|
)
|
|
@_traced("api.delete_user")
|
|
async def api_delete_user(
|
|
user_uuid: str,
|
|
admin: dict = Depends(require_admin),
|
|
) -> dict[str, str]:
|
|
if user_uuid == admin["uuid"]:
|
|
raise HTTPException(status_code=403, detail="Cannot delete your own account")
|
|
|
|
deleted = await repo.delete_user(user_uuid)
|
|
if not deleted:
|
|
raise HTTPException(status_code=404, detail="User not found")
|
|
# No token bump needed: the user row is gone, so _resolve_token already
|
|
# 401s any of their tokens (user lookup returns None).
|
|
invalidate_user_cache(user_uuid)
|
|
invalidate_list_users_cache()
|
|
return {"message": "User deleted"}
|
|
|
|
|
|
@router.put(
|
|
"/config/users/{user_uuid}/role",
|
|
tags=["Configuration"],
|
|
response_model=MessageResponse,
|
|
responses={
|
|
400: {"description": "Bad Request (e.g. malformed JSON)"},
|
|
401: {"description": "Could not validate credentials"},
|
|
403: {"description": "Admin access required / cannot change own role"},
|
|
404: {"description": "User not found"},
|
|
422: {"description": "Validation error"},
|
|
},
|
|
)
|
|
@_traced("api.update_user_role")
|
|
async def api_update_user_role(
|
|
user_uuid: str,
|
|
req: UpdateUserRoleRequest,
|
|
admin: dict = Depends(require_admin),
|
|
) -> dict[str, str]:
|
|
if user_uuid == admin["uuid"]:
|
|
raise HTTPException(status_code=403, detail="Cannot change your own role")
|
|
|
|
target = await repo.get_user_by_uuid(user_uuid)
|
|
if not target:
|
|
raise HTTPException(status_code=404, detail="User not found")
|
|
|
|
await repo.update_user_role(user_uuid, req.role)
|
|
# Revoke the target's sessions so a privilege change can't be outrun by an
|
|
# in-flight token carrying the old role.
|
|
await repo.set_tokens_valid_from(user_uuid, datetime.now(timezone.utc))
|
|
invalidate_user_cache(user_uuid)
|
|
invalidate_list_users_cache()
|
|
return {"message": "User role updated"}
|
|
|
|
|
|
@router.put(
|
|
"/config/users/{user_uuid}/reset-password",
|
|
tags=["Configuration"],
|
|
response_model=MessageResponse,
|
|
responses={
|
|
400: {"description": "Bad Request (e.g. malformed JSON)"},
|
|
401: {"description": "Could not validate credentials"},
|
|
403: {"description": "Admin access required"},
|
|
404: {"description": "User not found"},
|
|
422: {"description": "Validation error"},
|
|
},
|
|
)
|
|
@_traced("api.reset_user_password")
|
|
async def api_reset_user_password(
|
|
user_uuid: str,
|
|
req: ResetUserPasswordRequest,
|
|
admin: dict = Depends(require_admin),
|
|
) -> dict[str, str]:
|
|
target = await repo.get_user_by_uuid(user_uuid)
|
|
if not target:
|
|
raise HTTPException(status_code=404, detail="User not found")
|
|
|
|
await repo.update_user_password(
|
|
user_uuid,
|
|
await ahash_password(req.new_password),
|
|
must_change_password=True,
|
|
)
|
|
# Admin reset implies the old credential is burned — revoke the target's
|
|
# existing sessions so a leaked token can't survive the reset.
|
|
await repo.set_tokens_valid_from(user_uuid, datetime.now(timezone.utc))
|
|
invalidate_user_cache(user_uuid)
|
|
invalidate_list_users_cache()
|
|
return {"message": "Password reset successfully"}
|