Merge pull request #60 from johngian/middleware-logout

johngian · web-flow · commit 3f4ba3fa8a5e · 2016-11-23T11:32:55.000+01:00
Delegate token middleware
diff --git a/mozilla_django_oidc/auth.py b/mozilla_django_oidc/auth.py
@@ -89,6 +89,7 @@ def authenticate(self, **kwargs):
         code = kwargs.pop('code', None)
         state = kwargs.pop('state', None)
         nonce = kwargs.pop('nonce', None)
+        session = kwargs.pop('session', None)
 
         if not code or not state:
             return None
@@ -109,8 +110,13 @@ def authenticate(self, **kwargs):
 
         # Validate the token
         token_response = response.json()
-        if self.verify_token(token_response.get('id_token'), nonce=nonce):
+        id_token = token_response.get('id_token')
+        if self.verify_token(id_token, nonce=nonce):
             access_token = token_response.get('access_token')
+
+            if import_from_settings('OIDC_STORE_ACCESS_TOKEN', False):
+                session['oidc_id_token'] = id_token
+
             user_response = requests.get(self.OIDC_OP_USER_ENDPOINT,
                                          headers={
                                              'Authorization': 'Bearer {0}'.format(access_token)
diff --git a/mozilla_django_oidc/contrib/auth0/middleware.py b/mozilla_django_oidc/contrib/auth0/middleware.py
@@ -0,0 +1,40 @@
+from django.core.cache import cache
+
+from six import string_types
+
+from mozilla_django_oidc.contrib.auth0.utils import refresh_id_token
+from mozilla_django_oidc.utils import import_from_settings
+from mozilla_django_oidc.views import OIDCLogoutView
+
+
+class RefreshIDToken(object):
+    """
+    Bluntly stolen from mozilla/airmozilla
+
+    For users authenticated with an id_token, we need to check that it's
+    still valid after a specific amount of time.
+    """
+
+    def process_request(self, request):
+        if request.user.is_authenticated() and not request.is_ajax():
+
+            if 'oidc_id_token' not in request.session:
+                return None
+
+            cache_key = 'renew_id_token:{}'.format(request.user.id)
+            if cache.get(cache_key):
+                # still valid, we checked recently
+                return
+
+            id_token = refresh_id_token(request.session['oidc_id_token'])
+
+            if id_token:
+                assert isinstance(id_token, string_types)
+                request.session['oidc_id_token'] = id_token
+                timeout = import_from_settings('OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS', 60 * 15)
+                cache.set(cache_key, True, timeout)
+            else:
+                # If that failed, your previous id_token is not valid
+                # and you need to be signed out so you can get a new
+                # one.
+                return OIDCLogoutView.as_view()(request)
diff --git a/mozilla_django_oidc/views.py b/mozilla_django_oidc/views.py
@@ -46,7 +46,8 @@ def get(self, request):
             kwargs = {
                 'code': request.GET['code'],
                 'state': request.GET['state'],
-                'nonce': nonce
+                'nonce': nonce,
+                'session': request.session
             }
 
             if 'oidc_state' not in request.session:
diff --git a/tests/auth0_tests/test_middleware.py b/tests/auth0_tests/test_middleware.py
@@ -0,0 +1,77 @@
+from mock import patch
+
+from django.contrib.auth import get_user_model
+from django.test import RequestFactory, TestCase, override_settings
+
+from mozilla_django_oidc.contrib.auth0.middleware import RefreshIDToken
+
+
+User = get_user_model()
+
+
+class RefreshIDTokenTestCase(TestCase):
+    def setUp(self):
+        self.factory = RequestFactory()
+
+    def test_user_token_not_in_session(self):
+        user = User.objects.create_user('example_username')
+        request = self.factory.get('/foo')
+        request.user = user
+        request.session = dict()
+
+        middleware = RefreshIDToken()
+        response = middleware.process_request(request)
+        self.assertTrue(not response)
+
+    @patch('mozilla_django_oidc.contrib.auth0.middleware.cache')
+    def test_user_token_in_session(self, mock_cache):
+        user = User.objects.create_user('example_username')
+        request = self.factory.get('/foo')
+        request.user = user
+        request.session = {
+            'oidc_id_token': 'foobar'
+        }
+        mock_cache.get.return_value = True
+        middleware = RefreshIDToken()
+        response = middleware.process_request(request)
+        self.assertTrue(not response)
+
+    @patch('mozilla_django_oidc.contrib.auth0.middleware.refresh_id_token')
+    @patch('mozilla_django_oidc.contrib.auth0.middleware.cache')
+    @override_settings(OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS=120)
+    def test_stale_cache_valid_token(self, mock_cache, mock_refresh):
+        user = User.objects.create_user('example_username')
+        request = self.factory.get('/foo')
+        request.user = user
+        request.session = {
+            'oidc_id_token': 'foobar'
+        }
+        mock_cache.get.return_value = False
+        mock_refresh.return_value = 'renewed_token'
+        middleware = RefreshIDToken()
+        response = middleware.process_request(request)
+        self.assertTrue(not response)
+        cache_key = 'renew_id_token:{}'.format(user.id)
+        mock_refresh.assert_called_once_with('foobar')
+        mock_cache.set.assert_called_once_with(cache_key, True, 120)
+
+    @patch('mozilla_django_oidc.views.auth.logout')
+    @patch('mozilla_django_oidc.contrib.auth0.middleware.refresh_id_token')
+    @patch('mozilla_django_oidc.contrib.auth0.middleware.cache')
+    @override_settings(LOGOUT_REDIRECT_URL='/logout_url')
+    @override_settings(OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS=120)
+    def test_stale_cache_invalid_token(self, mock_cache, mock_refresh, mock_logout):
+        user = User.objects.create_user('example_username')
+        request = self.factory.get('/foo')
+        request.user = user
+        request.session = {
+            'oidc_id_token': 'foobar'
+        }
+        mock_cache.get.return_value = False
+        mock_refresh.return_value = None
+        middleware = RefreshIDToken()
+        response = middleware.process_request(request)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, '/logout_url')
+        mock_refresh.assert_called_once_with('foobar')
+        mock_logout.assert_called_once_with(request)
diff --git a/tests/test_views.py b/tests/test_views.py
@@ -43,7 +43,8 @@ def test_get_auth_success(self):
 
                 mock_auth.assert_called_once_with(code='example_code',
                                                   state='example_state',
-                                                  nonce=None)
+                                                  nonce=None,
+                                                  session=request.session)
                 mock_login.assert_called_once_with(request, user)
 
         self.assertEqual(response.status_code, 302)
@@ -73,7 +74,8 @@ def test_get_auth_success_next_url(self):
 
                 mock_auth.assert_called_once_with(code='example_code',
                                                   state='example_state',
-                                                  nonce=None)
+                                                  nonce=None,
+                                                  session=request.session)
                 mock_login.assert_called_once_with(request, user)
 
         self.assertEqual(response.status_code, 302)
@@ -100,7 +102,8 @@ def test_get_auth_failure_nonexisting_user(self):
 
             mock_auth.assert_called_once_with(code='example_code',
                                               state='example_state',
-                                              nonce=None)
+                                              nonce=None,
+                                              session=request.session)
 
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, '/failure')
@@ -130,7 +133,8 @@ def test_get_auth_failure_inactive_user(self):
 
             mock_auth.assert_called_once_with(code='example_code',
                                               state='example_state',
-                                              nonce=None)
+                                              nonce=None,
+                                              session=request.session)
 
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, '/failure')
@@ -223,7 +227,8 @@ def test_nonce_is_deleted(self):
 
                 mock_auth.assert_called_once_with(code='example_code',
                                                   state='example_state',
-                                                  nonce='example_nonce')
+                                                  nonce='example_nonce',
+                                                  session=request.session)
                 mock_login.assert_called_once_with(request, user)
 
         self.assertEqual(response.status_code, 302)

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,8 @@ def get(self, request):`
`46`	`46`	`kwargs = {`
`47`	`47`	`'code': request.GET['code'],`
`48`	`48`	`'state': request.GET['state'],`
`49`		`- 'nonce': nonce`
	`49`	`+ 'nonce': nonce,`
	`50`	`+ 'session': request.session`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`if 'oidc_state' not in request.session:`