erp5_oauth2_authorisation: Do not edit OAuth2 Session on every refresh token issuance

Malevolent users may decide to only - and repeatedly - present an otherwise valid refresh token, causing the issuance of a new access tokens everytime, likely along with new refresh tokens, causing many ZODB writes. Avoid this by pushing the token expiration date by one lifespan accuracy, so there can only be one write per session per lifespan accuracy period.

erp5_oauth2_authorisation: Do not edit OAuth2 Session on every refresh token issuance
Malevolent users may decide to only - and repeatedly - present an otherwise valid refresh token, causing the issuance of a new access tokens everytime, likely along with new refresh tokens, causing many ZODB writes. Avoid this by pushing the token expiration date by one lifespan accuracy, so there can only be one write per session per lifespan accuracy period.
36768696 · Vincent Pelletier · d7c0baf1 · 36768696 · 36768696
Commit 36768696 authored Nov 06, 2024 by Vincent Pelletier
2 changed files
--- a/bt5/erp5_oauth2_authorisation/DocumentTemplateItem/portal_components/document.erp5.OAuth2AuthorisationServerConnector.py
+++ b/bt5/erp5_oauth2_authorisation/DocumentTemplateItem/portal_components/document.erp5.OAuth2AuthorisationServerConnector.py
@@ -1179,8 +1179,9 @@ class OAuth2AuthorisationServerConnector(XMLObject):
        algorithm=algorithm,
      )
    def generateRefreshToken(request):
+      erp5_client_value = request.client.erp5_client_value
      session_value = request.user.erp5_session_value
-      expiration_timestamp = now + request.client.erp5_client_value.getRefreshTokenLifespan()
+      expiration_timestamp = now + erp5_client_value.getRefreshTokenLifespan()
      session_expiration_date = session_value.getPolicyExpirationDate()
      if session_expiration_date is not None:
        expiration_timestamp = min(
@@ -1192,7 +1193,9 @@ class OAuth2AuthorisationServerConnector(XMLObject):
        session_refresh_token_expiration_date is None or
        session_refresh_token_expiration_date < DateTime(expiration_timestamp)
      ):
-        session_value.setRefreshTokenExpirationDate(DateTime(expiration_timestamp))
+        session_value.setRefreshTokenExpirationDate(DateTime(
+          expiration_timestamp + erp5_client_value.getRefreshTokenLifespanAccuracy(),
+        ))
      _, algorithm, symetric_key = self.__getRefreshTokenKeyList()[0]
      return jwt.encode(
        {

--- a/bt5/erp5_oauth2_authorisation/TestTemplateItem/portal_components/test.erp5.testOAuth2Server.py
+++ b/bt5/erp5_oauth2_authorisation/TestTemplateItem/portal_components/test.erp5.testOAuth2Server.py
@@ -879,8 +879,12 @@ class TestOAuth2(ERP5TypeTestCase):
    # OAuth2 Session is now validated
    self.assertEqual(user_session.getValidationState(), 'validated')
    expiration_date = int(user_session.getExpirationDate())
-    self.assertLessEqual(time_before + refresh_token_lifespan, expiration_date)
+    refresh_token_base_offset = (
-    self.assertLessEqual(expiration_date, time_after + refresh_token_lifespan)
+      refresh_token_lifespan +
+      oauth2_client_declaration_value.getRefreshTokenLifespanAccuracy()
+    )
+    self.assertLessEqual(time_before + refresh_token_base_offset, expiration_date)
+    self.assertLessEqual(expiration_date, time_after + refresh_token_base_offset)
    # Request a new access token
    status, header_dict, cookie_dict, body = self._query(