No longer hash auth tokens + store the token scopes

This partially reverts commit c57aefd48b. The code to check against hashed tokens remains, because existing tokens should still work. The unhashed tokens are necessary for fetching badges from Blender ID.
2018-09-11 16:11:44 +02:00
parent a753637e70
commit 85eab0c6cb
8 changed files with 27 additions and 43 deletions
--- a/pillar/api/eve_settings.py
+++ b/pillar/api/eve_settings.py
@@ -368,11 +368,11 @@ tokens_schema = {
    },
    'token': {
        'type': 'string',
-        'required': False,
+        'required': True,
    },
    'token_hashed': {
        'type': 'string',
-        'required': True,
+        'required': False,
    },
    'expire_time': {
        'type': 'datetime',
--- a/pillar/api/local_auth.py
+++ b/pillar/api/local_auth.py
@@ -94,17 +94,10 @@ def generate_and_store_token(user_id, days=15, prefix=b'') -> dict:

    # Use 'xy' as altargs to prevent + and / characters from appearing.
    # We never have to b64decode the string anyway.
-    token_bytes = prefix + base64.b64encode(random_bits, altchars=b'xy').strip(b'=')
-    token = token_bytes.decode('ascii')
+    token = prefix + base64.b64encode(random_bits, altchars=b'xy').strip(b'=')

    token_expiry = utcnow() + datetime.timedelta(days=days)
-    token_data = store_token(user_id, token, token_expiry)
-
-    # Include the token in the returned document so that it can be stored client-side,
-    # in configuration, etc.
-    token_data['token'] = token
-
-    return token_data
+    return store_token(user_id, token.decode('ascii'), token_expiry)


 def hash_password(password: str, salt: typing.Union[str, bytes]) -> str:
--- a/pillar/api/utils/authentication.py
+++ b/pillar/api/utils/authentication.py
@@ -200,7 +200,7 @@ def remove_token(token: str):
    tokens_coll = current_app.db('tokens')
    token_hashed = hash_auth_token(token)

-    # TODO: remove matching on unhashed tokens once all tokens have been hashed.
+    # TODO: remove matching on hashed tokens once all hashed tokens have expired.
    lookup = {'$or': [{'token': token}, {'token_hashed': token_hashed}]}
    del_res = tokens_coll.delete_many(lookup)
    log.debug('Removed token %r, matched %d documents', token, del_res.deleted_count)
@@ -212,7 +212,7 @@ def find_token(token, is_subclient_token=False, **extra_filters):
    tokens_coll = current_app.db('tokens')
    token_hashed = hash_auth_token(token)

-    # TODO: remove matching on unhashed tokens once all tokens have been hashed.
+    # TODO: remove matching on hashed tokens once all hashed tokens have expired.
    lookup = {'$or': [{'token': token}, {'token_hashed': token_hashed}],
              'is_subclient_token': True if is_subclient_token else {'$in': [False, None]},
              'expire_time': {"$gt": utcnow()}}
@@ -246,7 +246,7 @@ def store_token(user_id, token: str, token_expiry, oauth_subclient_id=False,

    token_data = {
        'user': user_id,
-        'token_hashed': hash_auth_token(token),
+        'token': token,
        'expire_time': token_expiry,
    }
    if oauth_subclient_id:
--- a/pillar/config.py
+++ b/pillar/config.py
@@ -29,6 +29,7 @@ DEBUG = False
 SECRET_KEY = ''

 # Authentication token hashing key. If empty falls back to UTF8-encoded SECRET_KEY with a warning.
+# Not used to hash new tokens, but it is used to check pre-existing hashed tokens.
 AUTH_TOKEN_HMAC_KEY = b''

 # Authentication settings