Renew access token every 12 hours. (#8026)

* Renew access token every 12 hours. * lint * lint Co-authored-by: Florian Dieminger <me@fiji-flo.de>
mdn · Jan 12, 2022 · 0ab25fb · 0ab25fb
1 parent 20857c3
commit 0ab25fb
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 16 deletions.
diff --git a/kuma/settings/common.py b/kuma/settings/common.py
@@ -347,7 +347,7 @@ def _get_locales():
     "FXA_VERIFY_URL", default="https://oauth.accounts.firefox.com/v1/verify"
 )
 # Set token re-check time to an hour in seconds
-FXA_TOKEN_EXPIRY = config("FXA_TOKEN_EXPIRY", default=3600)
+FXA_TOKEN_EXPIRY = config("FXA_TOKEN_EXPIRY", default=43200)
 FXA_SET_ISSUER = config("FXA_SET_ISSUER", default="https://accounts.firefox.com")
 FXA_SET_ID_PREFIX = config(
     "FXA_SET_ID_PREFIX", default="https://schemas.accounts.firefox.com/event/"

diff --git a/kuma/users/auth.py b/kuma/users/auth.py
@@ -1,5 +1,6 @@
 import time
 
+import requests
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from mozilla_django_oidc.auth import OIDCAuthenticationBackend
@@ -20,6 +21,32 @@ def get_token(self, payload):
         self.refresh_token = token_info.get("refresh_token")
         return token_info
 
+    @classmethod
+    def refresh_access_token(cls, refresh_token, ttl=None):
+        """Gets a new access_token by using a refresh_token.
+
+        returns: the actual token or an empty dictionary
+        """
+
+        if not refresh_token:
+            return {}
+
+        obj = cls()
+        payload = {
+            "client_id": obj.OIDC_RP_CLIENT_ID,
+            "client_secret": obj.OIDC_RP_CLIENT_SECRET,
+            "grant_type": "refresh_token",
+            "refresh_token": refresh_token,
+        }
+
+        if ttl:
+            payload.update({"ttl": ttl})
+
+        try:
+            return obj.get_token(payload=payload)
+        except requests.exceptions.HTTPError:
+            return {}
+
     def filter_users_by_claims(self, claims):
         user_model = get_user_model()
 

diff --git a/kuma/users/middleware.py b/kuma/users/middleware.py
@@ -1,11 +1,12 @@
 import time
 
-import requests
 from django.conf import settings
 from django.contrib.auth import logout
 from django.core.exceptions import MiddlewareNotUsed
 from mozilla_django_oidc.middleware import SessionRefresh
 
+from kuma.users.auth import KumaOIDCAuthenticationBackend
+
 
 class ValidateAccessTokenMiddleware(SessionRefresh):
     """Validate the access token every hour.
@@ -27,23 +28,20 @@ def process_request(self, request):
         expiration = request.session.get("oidc_id_token_expiration", 0)
         now = time.time()
         access_token = request.session.get("oidc_access_token")
+        profile = request.user.userprofile
 
         if access_token and expiration < now:
 
-            response_token_info = (
-                requests.post(settings.FXA_VERIFY_URL, data={"token": access_token})
-            ).json()
-
-            # if the token is not verified, log the user out
-            if (
-                response_token_info.get("code") == 400
-                and response_token_info.get("message") == "Invalid token"
-            ):
-                profile = request.user.userprofile
-                profile.fxa_refresh_token = ""
-                profile.save()
-                logout(request)
-            else:
+            token_info = KumaOIDCAuthenticationBackend.refresh_access_token(
+                profile.fxa_refresh_token
+            )
+            new_access_token = token_info.get("access_token")
+            if new_access_token:
+                request.session["oidc_access_token"] = new_access_token
                 request.session["oidc_id_token_expiration"] = (
                     now + settings.FXA_TOKEN_EXPIRY
                 )
+            else:
+                profile.fxa_refresh_token = ""
+                profile.save()
+                logout(request)