refactor(chalice): debug authorizer

refactor(chalice): configurable JWT_LEEWAY
tahayk · Apr 22, 2024 · 74ab563 · 74ab563
1 parent f0540b7
commit 74ab563
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 6 deletions.
diff --git a/api/auth/auth_jwt.py b/api/auth/auth_jwt.py
@@ -2,6 +2,7 @@
 import logging
 from typing import Optional
 
+from decouple import config
 from fastapi import Request
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from starlette import status
@@ -39,19 +40,26 @@ async def __call__(self, request: Request) -> Optional[schemas.CurrentContext]:
                 jwt_payload = authorizers.jwt_refresh_authorizer(scheme="Bearer", token=request.cookies["refreshToken"])
 
             if jwt_payload is None or jwt_payload.get("jti") is None:
-                raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid token or expired token.")
+                logger.warning("Null refreshToken's payload, or null JTI.")
+                raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
+                                    detail="Invalid refresh-token or expired refresh-token.")
             auth_exists = users.refresh_auth_exists(user_id=jwt_payload.get("userId", -1),
                                                     jwt_jti=jwt_payload["jti"])
             if not auth_exists:
-                raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid token or expired token.")
+                logger.warning("refreshToken's user not found.")
+                logger.warning(jwt_payload)
+                raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
+                                    detail="Invalid refresh-token or expired refresh-token.")
 
             credentials: HTTPAuthorizationCredentials = await super(JWTAuth, self).__call__(request)
             if credentials:
                 if not credentials.scheme == "Bearer":
                     raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
                                         detail="Invalid authentication scheme.")
                 old_jwt_payload = authorizers.jwt_authorizer(scheme=credentials.scheme, token=credentials.credentials,
-                                                             leeway=datetime.timedelta(days=3))
+                                                             leeway=datetime.timedelta(
+                                                                 days=config("JWT_LEEWAY_DAYS", cast=int, default=3)
+                                                             ))
                 if old_jwt_payload is None \
                         or old_jwt_payload.get("userId") is None \
                         or old_jwt_payload.get("userId") != jwt_payload.get("userId"):

diff --git a/ee/api/auth/auth_jwt.py b/ee/api/auth/auth_jwt.py
@@ -2,6 +2,7 @@
 import logging
 from typing import Optional
 
+from decouple import config
 from fastapi import Request
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from starlette import status
@@ -43,20 +44,27 @@ async def __call__(self, request: Request) -> Optional[schemas.CurrentContext]:
                 jwt_payload = authorizers.jwt_refresh_authorizer(scheme="Bearer", token=request.cookies["refreshToken"])
 
             if jwt_payload is None or jwt_payload.get("jti") is None:
-                raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid token or expired token.")
+                logger.warning("Null refreshToken's payload, or null JTI.")
+                raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
+                                    detail="Invalid refresh-token or expired refresh-token.")
             auth_exists = users.refresh_auth_exists(user_id=jwt_payload.get("userId", -1),
                                                     tenant_id=jwt_payload.get("tenantId", -1),
                                                     jwt_jti=jwt_payload["jti"])
             if not auth_exists:
-                raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid token or expired token.")
+                logger.warning("refreshToken's user not found.")
+                logger.warning(jwt_payload)
+                raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
+                                    detail="Invalid refresh-token or expired refresh-token.")
 
             credentials: HTTPAuthorizationCredentials = await super(JWTAuth, self).__call__(request)
             if credentials:
                 if not credentials.scheme == "Bearer":
                     raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
                                         detail="Invalid authentication scheme.")
                 old_jwt_payload = authorizers.jwt_authorizer(scheme=credentials.scheme, token=credentials.credentials,
-                                                             leeway=datetime.timedelta(days=3))
+                                                             leeway=datetime.timedelta(
+                                                                 days=config("JWT_LEEWAY_DAYS", cast=int, default=3)
+                                                             ))
                 if old_jwt_payload is None \
                         or old_jwt_payload.get("userId") is None \
                         or old_jwt_payload.get("userId") != jwt_payload.get("userId"):