Removal of Old Tokens/Codes

juanifioren / django-oidc-provider

OpenID Connect and OAuth2 provider implementation for Djangonauts.

http://django-oidc-provider.readthedocs.org

MIT License

423 stars 238 forks source link

Removal of Old Tokens/Codes #60

Open nmohoric opened 8 years ago

nmohoric commented 8 years ago

A client has requested that tokens/codes should no longer be usable if the same client has a newer one for that user, to allow for less possible attack vectors.

Before I begin implementing a solution I thought I would check here to see if: a) this would be something you would be interested in merging in and, if so, b) you had any preferences on implementation

I imagine the two possible solutions would be to set the old code/token to have expired long ago, or just delete it outright from the database.

Any feedback/suggestions/questions would be appreciated.

juanifioren commented 8 years ago

Hi @nmohoric

I already thought this topic so I'm interested. Have a few ideas about a possible implementation:

Having a command cleartokens that remove expired codes/tokens from database.
Add an action for the admin (read more).

I think deleting from database will be better.

Greetings.

orzel commented 7 years ago

I definitely think that a django command is needed for this, exactly as is already the case for (sessions) "clearsessions". Actually, it seemed so obvious that I assumed such a command already existed. It's not difficult is it ? Would you merge it i implement it in management/commands/cleartokens.py ?

orzel commented 6 years ago

yes...? No .... ?

orzel commented 6 years ago

# Django
from django.core.management.base import BaseCommand
from django.utils import timezone

# Project
from oidc_provider.models import Token, Code

class Command(BaseCommand):
    help = 'Remove expired entries for Token and Code'

    def handle(self, *args, **options):
        now = timezone.now()
        old_tokens = Token.objects.filter(expires_at__lt=now)
        old_codes = Code.objects.filter(expires_at__lt=now)
        self.stdout.write(u'Removing %d old tokens and %d old codes.' % (
            old_tokens.count(),
            old_codes.count(),
        ))

        # do it
        old_tokens.delete()
        old_codes.delete()

        self.stdout.write(u'It remains %d tokens and %d codes.' % (
            Token.objects.count(),
            Code.objects.count(),
        ))

juanifioren commented 6 years ago

@orzel Hi! yes sorry. This feature is cool. But there is a problem. I want to create stats about token usage in the future. So this will remove those tokens, that are important info.

Example useful stat: Client A had 12k logins with different users in January 2017.