[feat] use monthly tokens database

Any solead release that includes this commit will be incompatible with LEAP
Platform < 0.6.1 because only from that version on the platform implements the
ephemeral monthly tokens databases.

Closes: #6785.

3 files changed, 20 insertions, 11 deletions

diff --git a/README.rst b/README.rst
index 5d6593ca..887b3df1 100644
--- a/README.rst
+++ b/README.rst
@@ -30,8 +30,12 @@ repository:
 Compatibility
 -------------
 
-* Server 0.7.x is incompatible with client < 0.7.0 because of modifications on
-  encrypted document MAC calculation.
+* Soledad Server >= 0.7.0 is incompatible with client < 0.7.0 because of
+  modifications on encrypted document MAC calculation.
+
+* Soledad Server >= 0.7.0 is incompatible with LEAP Platform < 0.6.1 because
+  that platform version implements ephemeral tokens databases and Soledad
+  Server needs to act accordingly.
 
 
 Tests
diff --git a/server/changes/feature_6785_use-monthly-token-db b/server/changes/feature_6785_use-monthly-token-db
new file mode 100644
index 00000000..f7987cad
--- /dev/null
+++ b/server/changes/feature_6785_use-monthly-token-db
@@ -0,0 +1 @@
+  o Use monthly token databases. Closes #6785.
diff --git a/server/src/leap/soledad/server/auth.py b/server/src/leap/soledad/server/auth.py
index 57f600a1..7af4e54b 100644
--- a/server/src/leap/soledad/server/auth.py
+++ b/server/src/leap/soledad/server/auth.py
@@ -21,10 +21,10 @@ Authentication facilities for Soledad Server.
 """
 
 
+import time
 import httplib
 import simplejson as json
 
-
 from u1db import DBNAME_CONSTRAINTS, errors as u1db_errors
 from abc import ABCMeta, abstractmethod
 from routes.mapper import Mapper
@@ -32,12 +32,8 @@ from couchdb.client import Server
 from twisted.python import log
 from hashlib import sha512
 
-
-from leap.soledad.common import (
-    SHARED_DB_NAME,
-    SHARED_DB_LOCK_DOC_ID_PREFIX,
-    USER_DB_PREFIX,
-)
+from leap.soledad.common import SHARED_DB_NAME
+from leap.soledad.common import USER_DB_PREFIX
 from leap.soledad.common.errors import InvalidAuthTokenError
 
 
@@ -354,7 +350,8 @@ class SoledadTokenAuthMiddleware(SoledadAuthMiddleware):
     Token based authentication.
     """
 
-    TOKENS_DB = "tokens"
+    TOKENS_DB_PREFIX = "tokens_"
+    TOKENS_DB_EXPIRE = 30 * 24 * 3600  # 30 days in seconds
     TOKENS_TYPE_KEY = "type"
     TOKENS_TYPE_DEF = "Token"
     TOKENS_USER_ID_KEY = "user_id"
@@ -414,7 +411,14 @@ class SoledadTokenAuthMiddleware(SoledadAuthMiddleware):
                                       invalid.
         """
         server = Server(url=self._app.state.couch_url)
-        dbname = self.TOKENS_DB
+        # the tokens db rotates every 30 days, and the current db name is
+        # "tokens_NNN", where NNN is the number of seconds since epoch divided
+        # by the rotate period in seconds. When rotating, old and new tokens
+        # db coexist during a certain window of time and valid tokens are
+        # replicated from the old db to the new one. See:
+        # https://leap.se/code/issues/6785
+        dbname = self.TOKENS_DB_PREFIX + \
+            str(int(time.time() / self.TOKENS_DB_EXPIRE))
         db = server[dbname]
         # lookup key is a hash of the token to prevent timing attacks.
         token = db.get(sha512(token).hexdigest())