Uninett
Add JWT refresh token model
Adds model representing JWT refresh token, with class functions for generating both refresh and access tokens.
The model is basically a wrapper around a JWT, with some functions to interact with it. The intended use is for the API view accepting refresh tokens to use JWTRefreshToken.objects.get(token=sometoken) to see if the refresh token is real, and use is_active() to see if its still active. If the token active, then an access token is generated and returned to the user, alongside a new refresh token overriding the current one. expire() exists in case a refresh token is leaked, or any other reason why you would want to effectively disable a refresh token.
A JWT being stored in the database does go against the idea of having all necessary info inside the token, but this is more or less necessary since it allows deactivating a refresh token. If an attacker got a hold of an active refresh token with no way for the NAV admins to disable the token, then the attacker can generate access tokens forever.
The alternative is using a blacklist, maybe some way to detect if a refresh token is used twice or something along those lines. I figured a whitelist approach is more reasonable. Access tokens will still exist entirely by themselves, with no reference in the DB. This works fine since they have a limited lifespan, so its not the end of the world if an attacker gets a hold of one.
Test results
8 files 8 suites 4m 19s :stopwatch: 3 335 tests 3 335 :heavy_check_mark: 0 :zzz: 0 :x: 4 986 runs 4 986 :heavy_check_mark: 0 :zzz: 0 :x:
Results for commit 58b95356.
:recycle: This comment has been updated with latest results.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Codecov Report
Attention: Patch coverage is 97.87234% with 1 lines in your changes are missing coverage. Please review.
Project coverage is 55.51%. Comparing base (
e879e67) to head (a9cd2d1). Report is 453 commits behind head on master.
:exclamation: Current head a9cd2d1 differs from pull request most recent head 58b9535. Consider uploading reports for the commit 58b9535 to get more accurate results
| Files | Patch % | Lines |
|---|---|---|
| python/nav/models/api.py | 97.87% | 1 Missing :warning: |
Additional details and impacted files
@@ Coverage Diff @@
## master #2569 +/- ##
==========================================
+ Coverage 55.19% 55.51% +0.31%
==========================================
Files 561 567 +6
Lines 40917 41221 +304
==========================================
+ Hits 22584 22883 +299
- Misses 18333 18338 +5
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Kudos, SonarCloud Quality Gate passed! 
0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells
No Coverage information
0.0% Duplication
![sonarqubecloud[bot] avatar](https://avatars.githubusercontent.com/in/12526?v=4 "Published by a pub.dev verified publisher"){kind=small}
Kudos, SonarCloud Quality Gate passed!
0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells
No Coverage information
0.0% Duplication
Quality Gate passed
Issues
3 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code
See analysis details on SonarCloud
Closing this on the premise that storing JWTs really does go against the point of it, and if we want to store refresh tokens in the database then we should probably have a different approach alltogether