diff options
author | drebs <drebs@leap.se> | 2015-03-11 14:33:10 -0300 |
---|---|---|
committer | drebs <drebs@leap.se> | 2015-03-19 11:16:10 -0300 |
commit | cf3c5018820f982ae64c2e062391b0a3b6e52f21 (patch) | |
tree | 65a3baf02be1fe98957a3c0acea05688a54b2aee | |
parent | 61a56f2ee301212d96c2d95a21d524bc06b3a677 (diff) |
[feat] use monthly tokens database
Any solead release that includes this commit will be incompatible with LEAP
Platform < 0.6.1 because only from that version on the platform implements the
ephemeral monthly tokens databases.
Closes: #6785.
-rw-r--r-- | README.rst | 8 | ||||
-rw-r--r-- | server/changes/feature_6785_use-monthly-token-db | 1 | ||||
-rw-r--r-- | server/src/leap/soledad/server/auth.py | 22 |
3 files changed, 20 insertions, 11 deletions
@@ -30,8 +30,12 @@ repository: Compatibility ------------- -* Server 0.7.x is incompatible with client < 0.7.0 because of modifications on - encrypted document MAC calculation. +* Soledad Server >= 0.7.0 is incompatible with client < 0.7.0 because of + modifications on encrypted document MAC calculation. + +* Soledad Server >= 0.7.0 is incompatible with LEAP Platform < 0.6.1 because + that platform version implements ephemeral tokens databases and Soledad + Server needs to act accordingly. Tests diff --git a/server/changes/feature_6785_use-monthly-token-db b/server/changes/feature_6785_use-monthly-token-db new file mode 100644 index 00000000..f7987cad --- /dev/null +++ b/server/changes/feature_6785_use-monthly-token-db @@ -0,0 +1 @@ + o Use monthly token databases. Closes #6785. diff --git a/server/src/leap/soledad/server/auth.py b/server/src/leap/soledad/server/auth.py index 57f600a1..7af4e54b 100644 --- a/server/src/leap/soledad/server/auth.py +++ b/server/src/leap/soledad/server/auth.py @@ -21,10 +21,10 @@ Authentication facilities for Soledad Server. """ +import time import httplib import simplejson as json - from u1db import DBNAME_CONSTRAINTS, errors as u1db_errors from abc import ABCMeta, abstractmethod from routes.mapper import Mapper @@ -32,12 +32,8 @@ from couchdb.client import Server from twisted.python import log from hashlib import sha512 - -from leap.soledad.common import ( - SHARED_DB_NAME, - SHARED_DB_LOCK_DOC_ID_PREFIX, - USER_DB_PREFIX, -) +from leap.soledad.common import SHARED_DB_NAME +from leap.soledad.common import USER_DB_PREFIX from leap.soledad.common.errors import InvalidAuthTokenError @@ -354,7 +350,8 @@ class SoledadTokenAuthMiddleware(SoledadAuthMiddleware): Token based authentication. """ - TOKENS_DB = "tokens" + TOKENS_DB_PREFIX = "tokens_" + TOKENS_DB_EXPIRE = 30 * 24 * 3600 # 30 days in seconds TOKENS_TYPE_KEY = "type" TOKENS_TYPE_DEF = "Token" TOKENS_USER_ID_KEY = "user_id" @@ -414,7 +411,14 @@ class SoledadTokenAuthMiddleware(SoledadAuthMiddleware): invalid. """ server = Server(url=self._app.state.couch_url) - dbname = self.TOKENS_DB + # the tokens db rotates every 30 days, and the current db name is + # "tokens_NNN", where NNN is the number of seconds since epoch divided + # by the rotate period in seconds. When rotating, old and new tokens + # db coexist during a certain window of time and valid tokens are + # replicated from the old db to the new one. See: + # https://leap.se/code/issues/6785 + dbname = self.TOKENS_DB_PREFIX + \ + str(int(time.time() / self.TOKENS_DB_EXPIRE)) db = server[dbname] # lookup key is a hash of the token to prevent timing attacks. token = db.get(sha512(token).hexdigest()) |