refactor: support legacy tokens

Author: jaelee213

oauth2_provider/models.py

@@ -387,6 +387,25 @@ class AbstractRefreshToken(models.Model):
     updated = models.DateTimeField(auto_now=True)
     revoked = models.DateTimeField(null=True)
 
+    @property
+    def is_expired(self):
+        """Determine if RefreshToken is expired."""
+        expire_seconds = self.application.refresh_token_expire_seconds
+        expires = self.created + timedelta(seconds=expire_seconds)
+
+        now = timezone.now()
+        is_refresh_token_expired = now >= expires
+        
+        # RefreshToken should not outlive AccessToken.
+        # NOTE: Check AccessToken expiration for backwards compatibility with
+        # long-lived tokens.
+        access_token_expires = self.access_token.expires
+        is_access_token_expired = now >= access_token_expires
+
+        # RefreshToken expired if and only if both refresh and access tokens
+        # are expired.
+        return is_refresh_token_expired and is_access_token_expired
+
     def revoke(self):
         """
         Mark this refresh token revoked and revoke related access token

oauth2_provider/oauth2_validators.py

@@ -475,9 +475,19 @@ def save_bearer_token(self, token, request, *args, **kwargs):
         if "scope" not in token:
             raise FatalClientError("Failed to renew access token: missing scope")
 
-        # "authenticate_client" sets the client (Application) on request
-        application = request.client
-        access_token_expire_seconds = application.access_token_expire_seconds
+        # "authenticate_client" sets the client (Application) on request.
+        app = request.client
+
+        # Users on older app versions should get long-lived tokens for
+        # backwards compatibility.
+        is_legacy_token = request.POST.get('is_legacy_token', False)
+
+        if is_legacy_token:
+            access_token_expire_seconds = (
+                settings.LEGACY_ACCESS_TOKEN_EXPIRE_SECONDS,
+            )
+        else:
+            access_token_expire_seconds = app.access_token_expire_seconds
 
         # expires_in is passed to Server on initialization
         # custom server class can have logic to override this
@@ -654,24 +664,18 @@ def validate_refresh_token(self, refresh_token, client, request, *args, **kwargs
                 seconds=oauth2_settings.REFRESH_TOKEN_GRACE_PERIOD_SECONDS
             )
         )
-        rt = RefreshToken.objects.filter(null_or_recent, token=refresh_token).select_related(
-            "access_token",
-            "application",
-        ).first()
+        rt = (
+            RefreshToken.objects
+            .filter(null_or_recent, token=refresh_token)
+            .select_related("user", "access_token", "application")
+            .first()
+        )
 
         if not rt:
             return False
 
-        # Access and refresh token expiration is configurable by Application
-        # Determine refresh token expiration datetime by adding the timedelta
-        # of "refresh_token_expire_seconds" to the "created" datetime
-        expire_seconds = rt.application.refresh_token_expire_seconds
-        expires = rt.created + timedelta(seconds=expire_seconds)
-
-        is_expired = timezone.now() >= expires
-
-        # Revoke token if expired
-        if is_expired:
+        # Revoke token if expired.
+        if rt.is_expired:
             try:
                 rt.revoke()
             # Catch exception in case access or refresh token do not exist
@@ -686,7 +690,7 @@ def validate_refresh_token(self, refresh_token, client, request, *args, **kwargs
         # Token is valid if it refers to the right client AND is not expired
         is_valid = (
             rt.application == client and
-            not is_expired
+            not rt.is_expired
         )
 
         return is_valid

oauth2_provider/settings.py

@@ -44,8 +44,12 @@
     "READ_SCOPE": "read",
     "WRITE_SCOPE": "write",
     "AUTHORIZATION_CODE_EXPIRE_SECONDS": 60,
-    "ACCESS_TOKEN_EXPIRE_SECONDS": 36000, # 10 hours in seconds
-    "REFRESH_TOKEN_EXPIRE_SECONDS": 31556952, # 1 year in seconds
+    "ACCESS_TOKEN_EXPIRE_SECONDS": 36000,  # 10 hours in seconds
+    "REFRESH_TOKEN_EXPIRE_SECONDS": 31556952,  # 1 year in seconds
+
+    # Older app versions should get long-lived auth tokens.
+    "LEGACY_ACCESS_TOKEN_EXPIRE_SECONDS": 315569520,  # 10 years
+
     "REFRESH_TOKEN_GRACE_PERIOD_SECONDS": 0,
     "ROTATE_REFRESH_TOKEN": True,
     "ERROR_RESPONSE_WITH_SCOPES": False,