feat(auth): embed auth_time/idle_max/abs_max in refresh tokens at every login
Third commit in the session-expiration-policy series. Every refresh token issued from now on carries the policy snapshot in its JWT (in seconds, for direct Unix math), and every login/OAuth response surfaces both expiry windows as ISO timestamps. /auth/refresh carries the claims forward unchanged — including auth_time, which never resets on rotation. Does NOT yet enforce the absolute cap — that's commit 4, sequenced so the gate can be reverted independently if pilots hit an edge case. But the wire is fully populated, and a grandfather path is already in _refresh_session_tokens for tokens issued before this PR. Key changes: - core/security.py: create_refresh_token signature changes to (user_id, *, auth_time, idle_max_seconds, abs_max_seconds). Adds resolve_session_policy(account) -> (idle_minutes, absolute_minutes) applying defaults for NULL overrides. - schemas/token.py + schemas/oauth.py: Token and OAuthCallbackResponse gain idle_expires_at + absolute_expires_at (Optional[datetime], Pydantic emits ISO 8601 UTC strings). - endpoints/auth.py: new _mint_session_tokens(user, db) and _refresh_session_tokens(payload, user, db) helpers. /auth/login, /auth/login/json, and /auth/refresh now route through them. The refresh endpoint's pre-existing "Refresh token has been revoked" error normalized to the taxonomy detail "invalid_refresh_token". - endpoints/oauth.py: both Google and Microsoft callbacks call _mint_session_tokens; OAuthCallbackResponse carries the expiry fields through. - tests: two new cases in test_session_policy.py — login_json embeds the claims with strict defaults (3d/14d -> 259200/1209600 sec) and surfaces matching ISO expiry fields; refresh carries auth_time, idle_max, abs_max forward unchanged across rotation. 35/35 across test_session_policy + test_auth + test_oauth_callbacks + test_account_invite_lookup + test_account_management. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -20,6 +20,7 @@ from app.core.security import (
|
||||
create_email_verification_token,
|
||||
decode_token,
|
||||
hash_token,
|
||||
resolve_session_policy,
|
||||
)
|
||||
from app.models.user import User
|
||||
from app.models.invite_code import InviteCode
|
||||
@@ -67,6 +68,97 @@ async def store_refresh_token(db: AsyncSession, refresh_token_str: str, user_id)
|
||||
db.add(token_record)
|
||||
|
||||
|
||||
async def _mint_session_tokens(user: User, db: AsyncSession) -> Token:
|
||||
"""Mint a fresh refresh+access pair for a new login.
|
||||
|
||||
Snapshots the account's current session policy into the refresh JWT
|
||||
(auth_time/idle_max/abs_max) and registers the JTI in refresh_tokens.
|
||||
Caller is responsible for committing the session. Use this for every
|
||||
NEW login (password, OAuth, etc.) — for /auth/refresh use
|
||||
_refresh_session_tokens instead, which carries claims forward.
|
||||
|
||||
See docs/plans/2026-05-13-session-expiration-policy.md §4.6.
|
||||
"""
|
||||
account = (
|
||||
await db.execute(select(Account).where(Account.id == user.account_id))
|
||||
).scalar_one()
|
||||
idle_minutes, abs_minutes = resolve_session_policy(account)
|
||||
idle_max_seconds = idle_minutes * 60
|
||||
abs_max_seconds = abs_minutes * 60
|
||||
|
||||
now = datetime.now(timezone.utc)
|
||||
auth_time_unix = int(now.timestamp())
|
||||
|
||||
refresh_token_str = create_refresh_token(
|
||||
user_id=str(user.id),
|
||||
auth_time=auth_time_unix,
|
||||
idle_max_seconds=idle_max_seconds,
|
||||
abs_max_seconds=abs_max_seconds,
|
||||
)
|
||||
access_token = create_access_token(data={"sub": str(user.id)})
|
||||
await store_refresh_token(db, refresh_token_str, user.id)
|
||||
|
||||
return Token(
|
||||
access_token=access_token,
|
||||
refresh_token=refresh_token_str,
|
||||
token_type="bearer",
|
||||
must_change_password=user.must_change_password,
|
||||
idle_expires_at=now + timedelta(seconds=idle_max_seconds),
|
||||
absolute_expires_at=datetime.fromtimestamp(
|
||||
auth_time_unix + abs_max_seconds, tz=timezone.utc
|
||||
),
|
||||
)
|
||||
|
||||
|
||||
async def _refresh_session_tokens(
|
||||
payload: dict, user: User, db: AsyncSession
|
||||
) -> Token:
|
||||
"""Carry session-policy claims forward across a refresh-token rotation.
|
||||
|
||||
Grandfathers legacy tokens issued before this PR (no auth_time claim)
|
||||
by snapshotting the account's current policy and treating now() as
|
||||
auth_time — i.e. one free rotation under the new policy. Caller
|
||||
commits.
|
||||
|
||||
Does NOT enforce the absolute cap — that lands in the next commit so
|
||||
the cap can be rolled back independently if needed.
|
||||
"""
|
||||
auth_time = payload.get("auth_time")
|
||||
idle_max_seconds = payload.get("idle_max")
|
||||
abs_max_seconds = payload.get("abs_max")
|
||||
|
||||
if auth_time is None or idle_max_seconds is None or abs_max_seconds is None:
|
||||
# Grandfather path — legacy token from before the session-policy PR.
|
||||
account = (
|
||||
await db.execute(select(Account).where(Account.id == user.account_id))
|
||||
).scalar_one()
|
||||
idle_minutes, abs_minutes = resolve_session_policy(account)
|
||||
auth_time = int(datetime.now(timezone.utc).timestamp())
|
||||
idle_max_seconds = idle_minutes * 60
|
||||
abs_max_seconds = abs_minutes * 60
|
||||
|
||||
now = datetime.now(timezone.utc)
|
||||
refresh_token_str = create_refresh_token(
|
||||
user_id=str(user.id),
|
||||
auth_time=auth_time,
|
||||
idle_max_seconds=idle_max_seconds,
|
||||
abs_max_seconds=abs_max_seconds,
|
||||
)
|
||||
access_token = create_access_token(data={"sub": str(user.id)})
|
||||
await store_refresh_token(db, refresh_token_str, user.id)
|
||||
|
||||
return Token(
|
||||
access_token=access_token,
|
||||
refresh_token=refresh_token_str,
|
||||
token_type="bearer",
|
||||
must_change_password=user.must_change_password,
|
||||
idle_expires_at=now + timedelta(seconds=idle_max_seconds),
|
||||
absolute_expires_at=datetime.fromtimestamp(
|
||||
auth_time + abs_max_seconds, tz=timezone.utc
|
||||
),
|
||||
)
|
||||
|
||||
|
||||
def _generate_display_code() -> str:
|
||||
"""Generate a random 8-character alphanumeric display code."""
|
||||
chars = string.ascii_uppercase + string.digits
|
||||
@@ -323,20 +415,9 @@ async def login(
|
||||
# Update last login
|
||||
user.last_login = datetime.now(timezone.utc)
|
||||
|
||||
# Create tokens
|
||||
access_token = create_access_token(data={"sub": str(user.id)})
|
||||
refresh_token_str = create_refresh_token(data={"sub": str(user.id)})
|
||||
|
||||
# Store refresh token hash in DB
|
||||
await store_refresh_token(db, refresh_token_str, user.id)
|
||||
token = await _mint_session_tokens(user, db)
|
||||
await db.commit()
|
||||
|
||||
return Token(
|
||||
access_token=access_token,
|
||||
refresh_token=refresh_token_str,
|
||||
token_type="bearer",
|
||||
must_change_password=user.must_change_password,
|
||||
)
|
||||
return token
|
||||
|
||||
|
||||
@router.post("/login/json", response_model=Token)
|
||||
@@ -359,19 +440,9 @@ async def login_json(
|
||||
|
||||
user.last_login = datetime.now(timezone.utc)
|
||||
|
||||
access_token = create_access_token(data={"sub": str(user.id)})
|
||||
refresh_token_str = create_refresh_token(data={"sub": str(user.id)})
|
||||
|
||||
# Store refresh token hash in DB
|
||||
await store_refresh_token(db, refresh_token_str, user.id)
|
||||
token = await _mint_session_tokens(user, db)
|
||||
await db.commit()
|
||||
|
||||
return Token(
|
||||
access_token=access_token,
|
||||
refresh_token=refresh_token_str,
|
||||
token_type="bearer",
|
||||
must_change_password=user.must_change_password,
|
||||
)
|
||||
return token
|
||||
|
||||
|
||||
@router.post("/refresh", response_model=Token)
|
||||
@@ -402,10 +473,12 @@ async def refresh_token(
|
||||
revoked_row = result.fetchone()
|
||||
|
||||
if not revoked_row:
|
||||
# Either the token doesn't exist or was already revoked/used
|
||||
# Either the token doesn't exist or was already revoked/used.
|
||||
# Surfaced to the frontend as a plain logout — not "session
|
||||
# expired" — because the user did not hit a policy boundary.
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Refresh token has been revoked"
|
||||
detail="invalid_refresh_token"
|
||||
)
|
||||
|
||||
result = await db.execute(select(User).where(User.id == user_id))
|
||||
@@ -414,21 +487,12 @@ async def refresh_token(
|
||||
if not user:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="User not found"
|
||||
detail="invalid_refresh_token"
|
||||
)
|
||||
|
||||
access_token = create_access_token(data={"sub": str(user.id)})
|
||||
new_refresh_token_str = create_refresh_token(data={"sub": str(user.id)})
|
||||
|
||||
# Store new refresh token
|
||||
await store_refresh_token(db, new_refresh_token_str, user.id)
|
||||
token = await _refresh_session_tokens(payload, user, db)
|
||||
await db.commit()
|
||||
|
||||
return Token(
|
||||
access_token=access_token,
|
||||
refresh_token=new_refresh_token_str,
|
||||
token_type="bearer"
|
||||
)
|
||||
return token
|
||||
|
||||
|
||||
@router.get("/me", response_model=UserResponse)
|
||||
|
||||
Reference in New Issue
Block a user