2bbe925cef
- Removed outdated and redundant Alembic migration files to streamline the migration directory. This improves maintainability and eliminates duplicate or unused scripts.
163 lines
5.3 KiB
Python
Executable File
163 lines
5.3 KiB
Python
Executable File
"""OAuth provider token models for OAuth provider mode."""
|
|
|
|
from datetime import UTC, datetime
|
|
|
|
from sqlalchemy import Boolean, Column, DateTime, ForeignKey, Index, String
|
|
from sqlalchemy.dialects.postgresql import UUID
|
|
from sqlalchemy.orm import relationship
|
|
|
|
from .base import Base, TimestampMixin, UUIDMixin
|
|
|
|
|
|
class OAuthProviderRefreshToken(Base, UUIDMixin, TimestampMixin):
|
|
"""
|
|
OAuth 2.0 Refresh Token for the OAuth provider.
|
|
|
|
Refresh tokens are:
|
|
- Opaque (stored as hash in DB, actual token given to client)
|
|
- Long-lived (configurable, default 30 days)
|
|
- Revocable (via revoked flag or deletion)
|
|
- Bound to specific client, user, and scope
|
|
|
|
Access tokens are JWTs and not stored in DB (self-contained).
|
|
This model only tracks refresh tokens for revocation support.
|
|
|
|
Security considerations:
|
|
- Store token hash, not plaintext
|
|
- Support token rotation (new refresh token on use)
|
|
- Track last used time for security auditing
|
|
- Support revocation by user, client, or admin
|
|
|
|
Performance indexes (defined in migration 0002_add_performance_indexes.py):
|
|
- ix_perf_oauth_refresh_tokens_expires: expires_at WHERE revoked = false
|
|
"""
|
|
|
|
__tablename__ = "oauth_provider_refresh_tokens"
|
|
|
|
# Hash of the refresh token (SHA-256)
|
|
# We store hash, not plaintext, for security
|
|
token_hash = Column(String(64), unique=True, nullable=False, index=True)
|
|
|
|
# Unique token ID (JTI) - used in JWT access tokens to reference this refresh token
|
|
jti = Column(String(64), unique=True, nullable=False, index=True)
|
|
|
|
# Client that owns this token
|
|
client_id = Column(
|
|
String(64),
|
|
ForeignKey("oauth_clients.client_id", ondelete="CASCADE"),
|
|
nullable=False,
|
|
)
|
|
|
|
# User who authorized this token
|
|
user_id = Column(
|
|
UUID(as_uuid=True),
|
|
ForeignKey("users.id", ondelete="CASCADE"),
|
|
nullable=False,
|
|
)
|
|
|
|
# Granted scopes (space-separated)
|
|
scope = Column(String(1000), nullable=False, default="")
|
|
|
|
# Token expiration
|
|
expires_at = Column(DateTime(timezone=True), nullable=False)
|
|
|
|
# Revocation flag
|
|
revoked = Column(Boolean, default=False, nullable=False, index=True)
|
|
|
|
# Last used timestamp (for security auditing)
|
|
last_used_at = Column(DateTime(timezone=True), nullable=True)
|
|
|
|
# Device/session info (optional, for user visibility)
|
|
device_info = Column(String(500), nullable=True)
|
|
ip_address = Column(String(45), nullable=True)
|
|
|
|
# Relationships
|
|
client = relationship("OAuthClient", backref="refresh_tokens")
|
|
user = relationship("User", backref="oauth_provider_refresh_tokens")
|
|
|
|
# Indexes
|
|
__table_args__ = (
|
|
Index("ix_oauth_provider_refresh_tokens_expires_at", "expires_at"),
|
|
Index("ix_oauth_provider_refresh_tokens_client_user", "client_id", "user_id"),
|
|
Index(
|
|
"ix_oauth_provider_refresh_tokens_user_revoked",
|
|
"user_id",
|
|
"revoked",
|
|
),
|
|
)
|
|
|
|
def __repr__(self):
|
|
status = "revoked" if self.revoked else "active"
|
|
return f"<OAuthProviderRefreshToken {self.jti[:8]}... ({status})>"
|
|
|
|
@property
|
|
def is_expired(self) -> bool:
|
|
"""Check if the refresh token has expired."""
|
|
# Use timezone-aware comparison (datetime.utcnow() is deprecated)
|
|
now = datetime.now(UTC)
|
|
expires_at = self.expires_at
|
|
# Handle both timezone-aware and naive datetimes from DB
|
|
if expires_at.tzinfo is None:
|
|
expires_at = expires_at.replace(tzinfo=UTC)
|
|
return now > expires_at
|
|
|
|
@property
|
|
def is_valid(self) -> bool:
|
|
"""Check if the refresh token is valid (not revoked, not expired)."""
|
|
return not self.revoked and not self.is_expired
|
|
|
|
|
|
class OAuthConsent(Base, UUIDMixin, TimestampMixin):
|
|
"""
|
|
OAuth consent record - remembers user consent for a client.
|
|
|
|
When a user grants consent to an OAuth client, we store the record
|
|
so they don't have to re-consent on subsequent authorizations
|
|
(unless scopes change).
|
|
|
|
This enables a better UX - users only see consent screen once per client,
|
|
unless the client requests additional scopes.
|
|
"""
|
|
|
|
__tablename__ = "oauth_consents"
|
|
|
|
# User who granted consent
|
|
user_id = Column(
|
|
UUID(as_uuid=True),
|
|
ForeignKey("users.id", ondelete="CASCADE"),
|
|
nullable=False,
|
|
)
|
|
|
|
# Client that received consent
|
|
client_id = Column(
|
|
String(64),
|
|
ForeignKey("oauth_clients.client_id", ondelete="CASCADE"),
|
|
nullable=False,
|
|
)
|
|
|
|
# Granted scopes (space-separated)
|
|
granted_scopes = Column(String(1000), nullable=False, default="")
|
|
|
|
# Relationships
|
|
client = relationship("OAuthClient", backref="consents")
|
|
user = relationship("User", backref="oauth_consents")
|
|
|
|
# Unique constraint: one consent record per user+client
|
|
__table_args__ = (
|
|
Index(
|
|
"ix_oauth_consents_user_client",
|
|
"user_id",
|
|
"client_id",
|
|
unique=True,
|
|
),
|
|
)
|
|
|
|
def __repr__(self):
|
|
return f"<OAuthConsent user={self.user_id} client={self.client_id}>"
|
|
|
|
def has_scopes(self, requested_scopes: list[str]) -> bool:
|
|
"""Check if all requested scopes are already granted."""
|
|
granted = set(self.granted_scopes.split()) if self.granted_scopes else set()
|
|
requested = set(requested_scopes)
|
|
return requested.issubset(granted)
|