MAGETWO-61867: API token does not expire after a time limit

Alex Paliarush · Alex Paliarush · commit 3cc77e67a019 · 2017-05-15T23:38:22.000-05:00
diff --git a/app/code/Magento/Integration/Cron/CleanExpiredTokens.php b/app/code/Magento/Integration/Cron/CleanExpiredTokens.php
@@ -0,0 +1,57 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Integration\Cron;
+
+use Magento\Integration\Model\ResourceModel\Oauth\Token as TokenResourceModel;
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Integration\Helper\Oauth\Data as OauthHelper;
+
+/**
+ * Cron class for deleting expired OAuth tokens.
+ */
+class CleanExpiredTokens
+{
+    /**
+     * @var TokenResourceModel
+     */
+    private $tokenResourceModel;
+
+    /**
+     * @var OauthHelper
+     */
+    private $oauthHelper;
+
+    /**
+     * Initialize dependencies.
+     *
+     * @param TokenResourceModel $tokenResourceModel
+     * @param OauthHelper $oauthHelper
+     */
+    public function __construct(
+        TokenResourceModel $tokenResourceModel,
+        OauthHelper $oauthHelper
+    ) {
+        $this->tokenResourceModel = $tokenResourceModel;
+        $this->oauthHelper = $oauthHelper;
+    }
+
+    /**
+     * Delete expired customer and admin tokens.
+     *
+     * @return void
+     */
+    public function execute()
+    {
+        $this->tokenResourceModel->deleteExpiredTokens(
+            $this->oauthHelper->getAdminTokenExpirationPeriod(),
+            [UserContextInterface::USER_TYPE_ADMIN]
+        );
+        $this->tokenResourceModel->deleteExpiredTokens(
+            $this->oauthHelper->getCustomerTokenExpirationPeriod(),
+            [UserContextInterface::USER_TYPE_CUSTOMER]
+        );
+    }
+}
diff --git a/app/code/Magento/Integration/Helper/Oauth/Data.php b/app/code/Magento/Integration/Helper/Oauth/Data.php
@@ -125,4 +125,32 @@ public function getConsumerPostTimeout()
         );
         return $seconds > 0 ? $seconds : self::CONSUMER_POST_TIMEOUT_DEFAULT;
     }
+
+    /**
+     * Get expiration period for customer tokens from config.
+     *
+     * @return int minutes
+     */
+    public function getCustomerTokenExpirationPeriod()
+    {
+        $minutes = (int)$this->_scopeConfig->getValue(
+            'oauth/access_token_expiration_period/customer',
+            \Magento\Store\Model\ScopeInterface::SCOPE_WEBSITE
+        );
+        return $minutes > 0 ? $minutes : 0;
+    }
+
+    /**
+     * Get expiration period for admin tokens from config.
+     *
+     * @return int minutes
+     */
+    public function getAdminTokenExpirationPeriod()
+    {
+        $minutes = (int)$this->_scopeConfig->getValue(
+            'oauth/access_token_expiration_period/admin',
+            \Magento\Store\Model\ScopeInterface::SCOPE_WEBSITE
+        );
+        return $minutes > 0 ? $minutes : 0;
+    }
 }
diff --git a/app/code/Magento/Integration/Model/ResourceModel/Oauth/Token.php b/app/code/Magento/Integration/Model/ResourceModel/Oauth/Token.php
@@ -104,6 +104,32 @@ public function deleteOldEntries($minutes)
         }
     }
 
+    /**
+     * Delete expired tokens for the specified user types
+     *
+     * @param int $minutes expiration period
+     * @param int[] $userTypes @see \Magento\Authorization\Model\UserContextInterface
+     * @return int number of deleted tokens
+     */
+    public function deleteExpiredTokens($minutes, $userTypes)
+    {
+        if ($minutes > 0) {
+            $connection = $this->getConnection();
+
+            $userTypeCondition = $connection->quoteInto('user_type IN (?)', $userTypes);
+            $createdAtCondition = $connection->quoteInto(
+                'created_at <= ?',
+                $this->_dateTime->formatDate($this->date->gmtTimestamp() - $minutes * 60)
+            );
+            return $connection->delete(
+                $this->getMainTable(),
+                $userTypeCondition . ' AND ' . $createdAtCondition
+            );
+        } else {
+            return 0;
+        }
+    }
+
     /**
      * Select a single token of the specified type for the specified consumer.
      *
diff --git a/app/code/Magento/Integration/etc/adminhtml/system.xml b/app/code/Magento/Integration/etc/adminhtml/system.xml
@@ -37,6 +37,17 @@
                     <comment>Timeout for OAuth consumer credentials Post request within X seconds.</comment>
                 </field>
             </group>
+            <group id="access_token_expiration_period" translate="label" type="text" sortOrder="600" showInDefault="1" showInWebsite="0" showInStore="0">
+                <label>Access Tokens Expiration Period</label>
+                <field id="customer" translate="label" type="text" sortOrder="30" showInDefault="1" showInWebsite="0" showInStore="0" canRestore="1">
+                    <label>Customer Tokens</label>
+                    <comment>Customer access tokens will expire after X minutes after generation. Specify 0 to disable expiration (not recommended)</comment>
+                </field>
+                <field id="admin" translate="label" type="text" sortOrder="60" showInDefault="1" showInWebsite="0" showInStore="0" canRestore="1">
+                    <label>Admin Tokens</label>
+                    <comment>Admin access tokens will expire after X minutes after generation. Specify 0 to disable expiration (not recommended)</comment>
+                </field>
+            </group>
         </section>
     </system>
 </config>
diff --git a/app/code/Magento/Integration/etc/config.xml b/app/code/Magento/Integration/etc/config.xml
@@ -21,6 +21,10 @@
                 <max_failures_count>6</max_failures_count>
                 <timeout>1800</timeout>
             </authentication_lock>
+            <access_token_expiration_period>
+                <customer>259200</customer>
+                <admin>43200</admin>
+            </access_token_expiration_period>
         </oauth>
     </default>
 </config>
diff --git a/app/code/Magento/Integration/etc/crontab.xml b/app/code/Magento/Integration/etc/crontab.xml
@@ -10,5 +10,8 @@
         <job name="outdated_authentication_failures_cleanup" instance="Magento\Integration\Cron\CleanExpiredAuthenticationFailures" method="execute">
             <schedule>* * * * *</schedule>
         </job>
+        <job name="expired_tokens_cleanup" instance="Magento\Integration\Cron\CleanExpiredTokens" method="execute">
+            <schedule>* * * * *</schedule>
+        </job>
     </group>
 </config>
