diff --git a/kuma/settings/common.py b/kuma/settings/common.py index 69e0b17f61..78b0f29a0b 100644 --- a/kuma/settings/common.py +++ b/kuma/settings/common.py @@ -347,7 +347,7 @@ def _get_locales(): "FXA_VERIFY_URL", default="https://oauth.accounts.firefox.com/v1/verify" ) # Set token re-check time to an hour in seconds -FXA_TOKEN_EXPIRY = config("FXA_TOKEN_EXPIRY", default=3600) +FXA_TOKEN_EXPIRY = config("FXA_TOKEN_EXPIRY", default=43200) FXA_SET_ISSUER = config("FXA_SET_ISSUER", default="https://accounts.firefox.com") FXA_SET_ID_PREFIX = config( "FXA_SET_ID_PREFIX", default="https://schemas.accounts.firefox.com/event/" diff --git a/kuma/users/auth.py b/kuma/users/auth.py index 7bfa95c1f1..0f853917d1 100644 --- a/kuma/users/auth.py +++ b/kuma/users/auth.py @@ -1,5 +1,6 @@ import time +import requests from django.conf import settings from django.contrib.auth import get_user_model from mozilla_django_oidc.auth import OIDCAuthenticationBackend @@ -20,6 +21,32 @@ def get_token(self, payload): self.refresh_token = token_info.get("refresh_token") return token_info + @classmethod + def refresh_access_token(cls, refresh_token, ttl=None): + """Gets a new access_token by using a refresh_token. + + returns: the actual token or an empty dictionary + """ + + if not refresh_token: + return {} + + obj = cls() + payload = { + "client_id": obj.OIDC_RP_CLIENT_ID, + "client_secret": obj.OIDC_RP_CLIENT_SECRET, + "grant_type": "refresh_token", + "refresh_token": refresh_token, + } + + if ttl: + payload.update({"ttl": ttl}) + + try: + return obj.get_token(payload=payload) + except requests.exceptions.HTTPError: + return {} + def filter_users_by_claims(self, claims): user_model = get_user_model() diff --git a/kuma/users/middleware.py b/kuma/users/middleware.py index 2d8d6d1721..721b4e5b9e 100644 --- a/kuma/users/middleware.py +++ b/kuma/users/middleware.py @@ -1,11 +1,12 @@ import time -import requests from django.conf import settings from django.contrib.auth import logout from django.core.exceptions import MiddlewareNotUsed from mozilla_django_oidc.middleware import SessionRefresh +from kuma.users.auth import KumaOIDCAuthenticationBackend + class ValidateAccessTokenMiddleware(SessionRefresh): """Validate the access token every hour. @@ -27,23 +28,20 @@ def process_request(self, request): expiration = request.session.get("oidc_id_token_expiration", 0) now = time.time() access_token = request.session.get("oidc_access_token") + profile = request.user.userprofile if access_token and expiration < now: - response_token_info = ( - requests.post(settings.FXA_VERIFY_URL, data={"token": access_token}) - ).json() - - # if the token is not verified, log the user out - if ( - response_token_info.get("code") == 400 - and response_token_info.get("message") == "Invalid token" - ): - profile = request.user.userprofile - profile.fxa_refresh_token = "" - profile.save() - logout(request) - else: + token_info = KumaOIDCAuthenticationBackend.refresh_access_token( + profile.fxa_refresh_token + ) + new_access_token = token_info.get("access_token") + if new_access_token: + request.session["oidc_access_token"] = new_access_token request.session["oidc_id_token_expiration"] = ( now + settings.FXA_TOKEN_EXPIRY ) + else: + profile.fxa_refresh_token = "" + profile.save() + logout(request)