feat: Validate Google, Azure, OIDC SSO access (#3590)

* chore: Store expiresAt on UserAuthentications. This represents the time that the accessToken is no longer valid and should be exchanged using the refreshToken * feat: Check and expire Google SSO * fix: Better handling of multiple auth methods Added more docs * fix: Retry access validation with network errors * Small refactor, add Azure token validation support * doc * test * lint * OIDC refresh support * CheckSSOAccessTask -> ValidateSSOAccessTask Added lastValidatedAt column Skip checks if validated within 5min Some edge cases around encrypted columns
2022-06-05 13:18:51 -07:00
parent c4c5b6289e
commit 728790e38f
19 changed files with 413 additions and 14 deletions
--- a/server/models/User.ts
+++ b/server/models/User.ts
@@ -1,7 +1,7 @@
 import crypto from "crypto";
 import { addMinutes, subMinutes } from "date-fns";
 import JWT from "jsonwebtoken";
-import { Transaction, QueryTypes, Op } from "sequelize";
+import { Transaction, QueryTypes, SaveOptions, Op } from "sequelize";
 import {
  Table,
  Column,
@@ -299,8 +299,25 @@ class User extends ParanoidModel {
    });
  };

-  // Returns a session token that is used to make API requests and is stored
-  // in the client browser cookies to remain logged in.
+  /**
+   * Rotate's the users JWT secret. This has the effect of invalidating ALL
+   * previously issued tokens.
+   *
+   * @param options Save options
+   * @returns Promise that resolves when database persisted
+   */
+  rotateJwtSecret = (options: SaveOptions) => {
+    User.setRandomJwtSecret(this);
+    return this.save(options);
+  };
+
+  /**
+   * Returns a session token that is used to make API requests and is stored
+   * in the client browser cookies to remain logged in.
+   *
+   * @param expiresAt The time the token will expire at
+   * @returns The session token
+   */
  getJwtToken = (expiresAt?: Date) => {
    return JWT.sign(
      {
@@ -312,8 +329,13 @@ class User extends ParanoidModel {
    );
  };

-  // Returns a temporary token that is only used for transferring a session
-  // between subdomains or domains. It has a short expiry and can only be used once
+  /**
+   * Returns a temporary token that is only used for transferring a session
+   * between subdomains or domains. It has a short expiry and can only be used
+   * once.
+   *
+   * @returns The transfer token
+   */
  getTransferToken = () => {
    return JWT.sign(
      {
@@ -326,8 +348,12 @@ class User extends ParanoidModel {
    );
  };

-  // Returns a temporary token that is only used for logging in from an email
-  // It can only be used to sign in once and has a medium length expiry
+  /**
+   * Returns a temporary token that is only used for logging in from an email
+   * It can only be used to sign in once and has a medium length expiry
+   *
+   * @returns The email signin token
+   */
  getEmailSigninToken = () => {
    return JWT.sign(
      {