Saleor: Authorization token doesn't check expiration date
Steps to reproduce the problem
- Create JWT token using tokenCreate mutation
- check expiration date
- use token after token expires
kswiatek92
All 16 comments
Hi! By default the tokens don't expire, refer to https://django-graphql-jwt.domake.io/en/latest/settings.html#token-expiration.
NyanKiyoshi
on 2 Jan 2020
@NyanKiyoshi you're right, my bad, in that case I propose to add if ... else ... statement where
we check if debug false set expiration_check to True
kswiatek92
on 2 Jan 2020
added in
#5076
kswiatek92
on 8 Jan 2020
NyanKiyoshi
on 8 Jan 2020
Is this environment variable in the correct location? Only when moving it to the GRAPHQL_JWT dictionary I've got the token to expire.
dsbrgg
on 27 Jan 2020
Yes that should in the GRAPHQL_JWT and not in the root of settings.py
NyanKiyoshi
on 27 Jan 2020
After further investigation, we concluded that the entire JWT authentication implementation in Saleor should be reworked. Here is the desired flow (roughly):
tokenCreatemutation generatesaccessToken,refreshTokenand sets an HTTP-only cookie with therefreshToken.accessTokenis stored in the client app in memory (not in local storage as it is now),- the client app can refresh the
accessTokenwith a mutation that reads therefreshTokenfrom the cookie - Saleor comes with a recommended configuration where
accessTokenexpires after 5 minutes
After investigating how refresh tokens work in the django-graphql-jwt we also concluded that it doesn't really meet our needs (it's really well described in this issue - https://github.com/flavors/django-graphql-jwt/issues/159). Adjusting it would require too many changes in the original library (by copying its parts to Saleor), so the idea is to implement these mutations entirely in Saleor. We can try to reuse parts of the library, but if it makes the development harder, then we can reimplement it on our side.
maarcingebala
on 31 Jan 2020
@maarcingebala do you think it will be squeezed into the 2.11 along with permission management, or should we not expect these changes too soon?
Thank you for your development efforts, love the project
artdiev
on 27 Mar 2020
We're now working on 2.10 and planning to release it in about two weeks for today. We haven't yet planned the exact scope of 2.11, but this ticket should have high priority and I'll try to push it once we have a planning meeting with the team. Thanks for reminding me.
maarcingebala
on 27 Mar 2020
This is the one only thing keeping from going all out on saleor. I'm waiting for this. Thank you
belhassen07
on 4 May 2020
@maarcingebala isn't this already fixed in 2.10?
NyanKiyoshi
on 5 May 2020
We haven't touched it, it's planned for 2.11.
maarcingebala
on 5 May 2020
We have this:
https://github.com/mirumee/saleor/blob/42b6c1a463173445a5390bb830aa0a3d71879968/saleor/settings.py#L478
And it works
NyanKiyoshi
on 5 May 2020
OK, so this is partially fixed, but we also want to rework a large part of the entire JWT implementation (maybe it should be a separate issue - https://github.com/mirumee/saleor/issues/5128#issuecomment-580693586).
maarcingebala
on 5 May 2020
Yeah, I think opening a separate issue would be better as this issues is fixed.
NyanKiyoshi
on 5 May 2020
JWT auth layer rebuilt in #5734. So this issue is not valid anymore
korycins
on 30 Jun 2020
Related issues
lewis617
路
3Comments
damianarechar
路
3Comments
timuric
路
3Comments
tanvirraj
路
3Comments
mad-anne
路
3Comments
Most helpful comment
After further investigation, we concluded that the entire JWT authentication implementation in Saleor should be reworked. Here is the desired flow (roughly):
tokenCreatemutation generatesaccessToken,refreshTokenand sets an HTTP-only cookie with therefreshToken.accessTokenis stored in the client app in memory (not in local storage as it is now),accessTokenwith a mutation that reads therefreshTokenfrom the cookieaccessTokenexpires after 5 minutesAfter investigating how refresh tokens work in the
django-graphql-jwtwe also concluded that it doesn't really meet our needs (it's really well described in this issue - https://github.com/flavors/django-graphql-jwt/issues/159). Adjusting it would require too many changes in the original library (by copying its parts to Saleor), so the idea is to implement these mutations entirely in Saleor. We can try to reuse parts of the library, but if it makes the development harder, then we can reimplement it on our side.