From cf3c5018820f982ae64c2e062391b0a3b6e52f21 Mon Sep 17 00:00:00 2001
From: drebs <drebs@leap.se>
Date: Wed, 11 Mar 2015 14:33:10 -0300
Subject: [feat] use monthly tokens database

Any solead release that includes this commit will be incompatible with LEAP
Platform < 0.6.1 because only from that version on the platform implements the
ephemeral monthly tokens databases.

Closes: #6785.
---
 server/changes/feature_6785_use-monthly-token-db |  1 +
 server/src/leap/soledad/server/auth.py           | 22 +++++++++++++---------
 2 files changed, 14 insertions(+), 9 deletions(-)
 create mode 100644 server/changes/feature_6785_use-monthly-token-db

(limited to 'server')

diff --git a/server/changes/feature_6785_use-monthly-token-db b/server/changes/feature_6785_use-monthly-token-db
new file mode 100644
index 00000000..f7987cad
--- /dev/null
+++ b/server/changes/feature_6785_use-monthly-token-db
@@ -0,0 +1 @@
+  o Use monthly token databases. Closes #6785.
diff --git a/server/src/leap/soledad/server/auth.py b/server/src/leap/soledad/server/auth.py
index 57f600a1..7af4e54b 100644
--- a/server/src/leap/soledad/server/auth.py
+++ b/server/src/leap/soledad/server/auth.py
@@ -21,10 +21,10 @@ Authentication facilities for Soledad Server.
 """
 
 
+import time
 import httplib
 import simplejson as json
 
-
 from u1db import DBNAME_CONSTRAINTS, errors as u1db_errors
 from abc import ABCMeta, abstractmethod
 from routes.mapper import Mapper
@@ -32,12 +32,8 @@ from couchdb.client import Server
 from twisted.python import log
 from hashlib import sha512
 
-
-from leap.soledad.common import (
-    SHARED_DB_NAME,
-    SHARED_DB_LOCK_DOC_ID_PREFIX,
-    USER_DB_PREFIX,
-)
+from leap.soledad.common import SHARED_DB_NAME
+from leap.soledad.common import USER_DB_PREFIX
 from leap.soledad.common.errors import InvalidAuthTokenError
 
 
@@ -354,7 +350,8 @@ class SoledadTokenAuthMiddleware(SoledadAuthMiddleware):
     Token based authentication.
     """
 
-    TOKENS_DB = "tokens"
+    TOKENS_DB_PREFIX = "tokens_"
+    TOKENS_DB_EXPIRE = 30 * 24 * 3600  # 30 days in seconds
     TOKENS_TYPE_KEY = "type"
     TOKENS_TYPE_DEF = "Token"
     TOKENS_USER_ID_KEY = "user_id"
@@ -414,7 +411,14 @@ class SoledadTokenAuthMiddleware(SoledadAuthMiddleware):
                                       invalid.
         """
         server = Server(url=self._app.state.couch_url)
-        dbname = self.TOKENS_DB
+        # the tokens db rotates every 30 days, and the current db name is
+        # "tokens_NNN", where NNN is the number of seconds since epoch divided
+        # by the rotate period in seconds. When rotating, old and new tokens
+        # db coexist during a certain window of time and valid tokens are
+        # replicated from the old db to the new one. See:
+        # https://leap.se/code/issues/6785
+        dbname = self.TOKENS_DB_PREFIX + \
+            str(int(time.time() / self.TOKENS_DB_EXPIRE))
         db = server[dbname]
         # lookup key is a hash of the token to prevent timing attacks.
         token = db.get(sha512(token).hexdigest())
-- 
cgit v1.2.3