From 7edac3843506ee098a6f23a006ac2679236cae21 Mon Sep 17 00:00:00 2001 From: tanshu Date: Sat, 30 May 2020 14:09:38 +0530 Subject: [PATCH] Sliding session implemented by using jwt interceptor to refresh the token 10 minutes before expiry --- brewman/routers/login.py | 7 +-- brewman/routers/voucher.py | 1 - overlord/src/app/auth/auth.service.ts | 36 ++++++++++- .../src/app/core/http-auth-interceptor.ts | 62 +++++++++++-------- overlord/src/app/core/jwt.interceptor.ts | 10 +++ overlord/src/app/core/user.ts | 2 +- 6 files changed, 84 insertions(+), 34 deletions(-) diff --git a/brewman/routers/login.py b/brewman/routers/login.py index 364f550b..f17edc53 100644 --- a/brewman/routers/login.py +++ b/brewman/routers/login.py @@ -1,13 +1,13 @@ from datetime import timedelta -from fastapi import APIRouter, Depends, HTTPException, status +from fastapi import APIRouter, Depends, HTTPException, status, Security from fastapi.security import OAuth2PasswordRequestForm from sqlalchemy.orm import Session from ..core.security import ( Token, authenticate_user, ACCESS_TOKEN_EXPIRE_MINUTES, - create_access_token, get_user, + create_access_token, get_current_active_user, ) from ..db.session import SessionLocal from ..schemas.auth import UserToken @@ -59,8 +59,7 @@ async def login_for_access_token( @router.post("/refresh", response_model=Token) async def refresh_token( - db: Session = Depends(get_db), - user: UserToken = Depends(get_user) + user: UserToken = Security(get_current_active_user) ): access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES) access_token = create_access_token( diff --git a/brewman/routers/voucher.py b/brewman/routers/voucher.py index dd9f12fd..c27d986e 100644 --- a/brewman/routers/voucher.py +++ b/brewman/routers/voucher.py @@ -31,7 +31,6 @@ from brewman.models.voucher import ( ) from brewman.routers import get_lock_info from brewman.core.session import get_first_day -from ..schemas import to_camel from ..schemas.auth import UserToken from ..core.security import get_current_active_user as get_user from ..db.session import SessionLocal diff --git a/overlord/src/app/auth/auth.service.ts b/overlord/src/app/auth/auth.service.ts index 78dbcf18..16aafdcb 100644 --- a/overlord/src/app/auth/auth.service.ts +++ b/overlord/src/app/auth/auth.service.ts @@ -6,6 +6,9 @@ import {map} from 'rxjs/operators'; import {User} from '../core/user'; const loginUrl = '/token'; +const refreshUrl = '/refresh'; +const JWT_USER = 'JWT_USER'; +const ACCESS_TOKEN_REFRESH_MINUTES = 10; // refresh token 10 minutes before expiry @Injectable({providedIn: 'root'}) export class AuthService { @@ -13,7 +16,7 @@ export class AuthService { public currentUser: Observable; constructor(private http: HttpClient) { - this.currentUserSubject = new BehaviorSubject(JSON.parse(localStorage.getItem('currentUser'))); + this.currentUserSubject = new BehaviorSubject(JSON.parse(localStorage.getItem(JWT_USER))); this.currentUser = this.currentUserSubject.asObservable(); } @@ -31,7 +34,7 @@ export class AuthService { .pipe(map(u => this.parseJwt(u))) .pipe(map(user => { // store user details and jwt token in local storage to keep user logged in between page refreshes - localStorage.setItem('currentUser', JSON.stringify(user)); + localStorage.setItem(JWT_USER, JSON.stringify(user)); this.currentUserSubject.next(user); return user; })); @@ -55,9 +58,36 @@ export class AuthService { }); } + needsRefreshing(): boolean { + + // We use this line to debug token refreshing + // console.log("\n", Date.now(), ": Date.now()\n", this.user.exp * 1000, ": user.exp\n",(this.user.exp - (ACCESS_TOKEN_REFRESH_MINUTES * 60)) * 1000, ": comp"); + return Date.now() > (this.user.exp - (ACCESS_TOKEN_REFRESH_MINUTES * 60)) * 1000; + } + + expired(): boolean { + return Date.now() > this.user.exp * 1000; + } + logout() { // remove user from local storage to log user out - localStorage.removeItem('currentUser'); + localStorage.removeItem(JWT_USER); this.currentUserSubject.next(null); } + + getJwtToken() { + return JSON.parse(localStorage.getItem(JWT_USER)).access_token; + } + + refreshToken() { + return this.http.post(refreshUrl, {}) + .pipe(map(u => u.access_token)) + .pipe(map(u => this.parseJwt(u))) + .pipe(map(user => { + // store user details and jwt token in local storage to keep user logged in between page refreshes + localStorage.setItem(JWT_USER, JSON.stringify(user)); + this.currentUserSubject.next(user); + return user; + })); + } } diff --git a/overlord/src/app/core/http-auth-interceptor.ts b/overlord/src/app/core/http-auth-interceptor.ts index f4f9a139..d05f3410 100644 --- a/overlord/src/app/core/http-auth-interceptor.ts +++ b/overlord/src/app/core/http-auth-interceptor.ts @@ -10,30 +10,42 @@ import { ConfirmDialogComponent } from '../shared/confirm-dialog/confirm-dialog. @Injectable() export class ErrorInterceptor implements HttpInterceptor { - constructor(private authService: AuthService, private router: Router, private dialog: MatDialog, private toaster: ToasterService) { } + constructor(private authService: AuthService, private router: Router, private dialog: MatDialog, private toaster: ToasterService) { + } - intercept(request: HttpRequest, next: HttpHandler): Observable> { - return next.handle(request).pipe(catchError(err => { - if (err.status === 401) { - console.log('caught 401 in error interceptor'); - // auto logout if 401 response returned from api - this.authService.logout(); - this.toaster.show('Danger', 'User has been logged out'); - const dialogRef = this.dialog.open(ConfirmDialogComponent, { - width: '250px', - data: { - title: 'Logged out!', - content: 'You have been logged out.\nYou can press Cancel to stay on page and login in another tab to resume here, or you can press Ok to navigate to the login page.' - } - }); - dialogRef.afterClosed().subscribe((result: boolean) => { - if (result) { - this.router.navigate(['login']); - } - }); - } - const error = err.error.message || err.statusText; - return throwError(error); - })); - } + intercept(request: HttpRequest, next: HttpHandler): Observable> { + return next.handle(request).pipe(catchError(err => { + // We don't want to refresh token for some requests like login or refresh token itself + // So we verify url and we throw an error if it's the case + if (request.url.includes('/refresh') || request.url.includes('/token')) { + // We do another check to see if refresh token failed + // In this case we want to logout user and to redirect it to login page + if (request.url.includes('/refresh')) { + this.authService.logout(); + } + return throwError(err); + } + // If error status is different than 401 we want to skip refresh token + // So we check that and throw the error if it's the case + if (err.status !== 401) { + const error = err.error.message || err.error.detail || err.statusText; + return throwError(error); + } + // auto logout if 401 response returned from api + this.authService.logout(); + this.toaster.show('Danger', 'User has been logged out'); + const dialogRef = this.dialog.open(ConfirmDialogComponent, { + width: '250px', + data: { + title: 'Logged out!', + content: 'You have been logged out.\nYou can press Cancel to stay on page and login in another tab to resume here, or you can press Ok to navigate to the login page.' + } + }); + dialogRef.afterClosed().subscribe((result: boolean) => { + if (result) { + this.router.navigate(['login']); + } + }); + })); + } } diff --git a/overlord/src/app/core/jwt.interceptor.ts b/overlord/src/app/core/jwt.interceptor.ts index 9d853f91..4c4bfef2 100644 --- a/overlord/src/app/core/jwt.interceptor.ts +++ b/overlord/src/app/core/jwt.interceptor.ts @@ -6,11 +6,20 @@ import {AuthService} from '../auth/auth.service'; @Injectable() export class JwtInterceptor implements HttpInterceptor { + private isRefreshing = false; + constructor(private authService: AuthService) { } intercept(request: HttpRequest, next: HttpHandler): Observable> { // add authorization header with jwt token if available + + // We use this line to debug token refreshing + // console.log("intercepting:\nisRefreshing: ", this.isRefreshing, "\n user: ", this.authService.user,"\n needsRefreshing: ", this.authService.needsRefreshing()); + if (!this.isRefreshing && this.authService.user && this.authService.needsRefreshing()) { + this.isRefreshing = true; + this.authService.refreshToken().subscribe( x=> this.isRefreshing = false); + } const currentUser = this.authService.user; if (currentUser?.access_token) { request = request.clone({ @@ -20,6 +29,7 @@ export class JwtInterceptor implements HttpInterceptor { }); } + return next.handle(request); } } diff --git a/overlord/src/app/core/user.ts b/overlord/src/app/core/user.ts index 9bf7d5e3..c9bc46fd 100644 --- a/overlord/src/app/core/user.ts +++ b/overlord/src/app/core/user.ts @@ -7,7 +7,7 @@ export class User { perms: string[]; isAuthenticated: boolean; access_token?: string; - exp?: bigint; + exp?: number; public constructor(init?: Partial) { Object.assign(this, init);