is: Reject access tokens and refreshes past session expiry

Author: vlasebian

CHANGELOG.md

@@ -13,7 +13,7 @@ For details about compatibility between different releases, see the **Commitment
 
 - Add tracing for LBS LNS and TTIGW protocol handlers.
 - TTGC LBS Root CUPS claiming support.
-- Configurable Identity Server user login session TTL via `is.user-login.session-ttl`. Defaults to `0` (no expiry, matching previous behavior). When set, the auth cookie becomes persistent with a matching `Max-Age`.
+- Configurable Identity Server user login session TTL via `is.user-login.session-ttl`. Defaults to `0` (no expiry, matching previous behavior). When set, the auth cookie becomes persistent with a matching `Max-Age`, and OAuth access tokens linked to a session are rejected once the session has expired — covering the Console API path.
 
 ### Changed
 

pkg/identityserver/entity_access.go

@@ -197,6 +197,18 @@ func (is *IdentityServer) authInfo(ctx context.Context) (info *ttnpb.AuthInfoRes
 			if expiresAt := ttnpb.StdTime(accessToken.ExpiresAt); expiresAt != nil && expiresAt.Before(time.Now()) {
 				return errTokenExpired.New()
 			}
+			if accessToken.UserSessionId != "" {
+				session, err := st.GetSession(ctx, accessToken.UserIds, accessToken.UserSessionId)
+				if err != nil {
+					if errors.IsNotFound(err) {
+						return errTokenExpired.WithCause(err)
+					}
+					return err
+				}
+				if expiresAt := ttnpb.StdTime(session.ExpiresAt); expiresAt != nil && expiresAt.Before(time.Now()) {
+					return errTokenExpired.New()
+				}
+			}
 			accessToken.AccessToken, accessToken.RefreshToken = "", ""
 			accessToken.Rights = ttnpb.RightsFrom(accessToken.Rights...).Implied().GetRights()
 			res.AccessMethod = &ttnpb.AuthInfoResponse_OauthAccessToken{

pkg/oauth/server_test.go

@@ -753,6 +753,7 @@ func TestTokenExchange(t *testing.T) {
 			Name: "Exchange Refresh Token",
 			StoreSetup: func(s *mockStore) {
 				s.res.client = mockClient
+				s.res.session = mockSession
 				s.res.accessToken = &ttnpb.OAuthAccessToken{
 					UserIds:       mockUser.GetIds(),
 					ClientIds:     mockClient.GetIds(),
@@ -788,6 +789,43 @@ func TestTokenExchange(t *testing.T) {
 				a.So(s.req.previousID, should.Equal, "IBTFXELDVVT64Y26IZZFFNSL7GWZY2Y3ALQQI3A")
 			},
 		},
+		{
+			Name: "Exchange Refresh Token with Expired Session",
+			StoreSetup: func(s *mockStore) {
+				s.res.client = mockClient
+				s.res.session = &ttnpb.UserSession{
+					UserIds:   mockUser.GetIds(),
+					SessionId: mockSession.SessionId,
+					CreatedAt: timestamppb.New(now.Add(-2 * time.Hour)),
+					ExpiresAt: timestamppb.New(now.Add(-time.Hour)),
+				}
+				s.res.accessToken = &ttnpb.OAuthAccessToken{
+					UserIds:       mockUser.GetIds(),
+					ClientIds:     mockClient.GetIds(),
+					UserSessionId: mockSession.SessionId,
+					Id:            "SFUBFRKYTGULGPAXXM4SHIBYMKCPTIMQBM63ZGQ",
+					RefreshToken:  "PBKDF2$sha256$20000$IGAiKs46xX_M64E5$4xpyqnQT8SOa_Vf4xhEPk6WOZnhmAjG2mqGQiYBhm2s",
+					Rights:        mockClient.Rights,
+					CreatedAt:     timestamppb.New(now),
+					ExpiresAt:     timestamppb.New(anHourFromNow),
+				}
+			},
+			Method: "POST",
+			Path:   "/oauth/token",
+			Body: map[string]string{
+				"grant_type":    "refresh_token",
+				"refresh_token": "OJSWM.IBTFXELDVVT64Y26IZZFFNSL7GWZY2Y3ALQQI3A.GCPIASDUP7UZJ6YL5OP2ESZB7CKRFV4JJQYTMDOSDIOE7O75IAMQ",
+				"client_id":     "client",
+				"client_secret": "secret",
+			},
+			ExpectedCode: http.StatusUnauthorized,
+			StoreCheck: func(t *testing.T, s *mockStore) {
+				a := assertions.New(t)
+				a.So(s.calls, should.Contain, "GetAccessToken")
+				a.So(s.calls, should.Contain, "GetSession")
+				a.So(s.calls, should.NotContain, "CreateAccessToken")
+			},
+		},
 	} {
 		name := tt.Name
 		if name == "" {

pkg/oauth/storage.go

@@ -179,6 +179,8 @@ var errNoRefreshToken = errors.DefineInvalidArgument(
 
 var errInvalidToken = errors.DefineInvalidArgument("token", "invalid token")
 
+var errSessionExpired = errors.DefineUnauthenticated("session_expired", "session expired")
+
 func (s *storage) SaveAccess(data *osin.AccessData) error {
 	var accessHash, refreshHash string
 	tokenType, accessID, accessKey, err := auth.SplitToken(data.AccessToken)
@@ -313,6 +315,24 @@ func (s *storage) LoadRefresh(token string) (*osin.AccessData, error) {
 	if !valid || err != nil {
 		return nil, errInvalidToken.New()
 	}
+	if userSessionIDs := data.UserData.(userData).UserSessionIdentifiers; userSessionIDs.GetSessionId() != "" {
+		err = s.store.Transact(s.ctx, func(ctx context.Context, st oauth_store.Interface) error {
+			session, err := st.GetSession(ctx, userSessionIDs.GetUserIds(), userSessionIDs.GetSessionId())
+			if err != nil {
+				if errors.IsNotFound(err) {
+					return errSessionExpired.WithCause(err)
+				}
+				return err
+			}
+			if expiresAt := ttnpb.StdTime(session.ExpiresAt); expiresAt != nil && expiresAt.Before(time.Now()) {
+				return errSessionExpired.New()
+			}
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+	}
 	return data, nil
 }