Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support for auto-refresh, up to a maximum? #311

Open
cbeck88 opened this issue Sep 30, 2023 · 2 comments
Open

support for auto-refresh, up to a maximum? #311

cbeck88 opened this issue Sep 30, 2023 · 2 comments

Comments

@cbeck88
Copy link

cbeck88 commented Sep 30, 2023
edited

Hi,

I really like many aspects of how django-rest-knox is implemented, and how configurable it is.

The one thing I really wish I could get perfect is,

  1. I would like to have tokens expire after a relatively short time, e.g. 15 minutes, but with auto-refresh on use.
  2. I would like to have a maximum lifetime of a token -- no matter how many times it is refreshed, it expires anyways after e.g. 24 hours from when it was first issued.

My reasoning is, if I turn off token refresh entirely, then the token timer needs to be at least two hours for it not to be annoying to users of my site, so that they don't have to type their password again and again.

But having tokens expire automatically after 15 minutes of non-use is quite good for security. This is also touted as a benefit of Oauth's two-tiered token system, where the shortest-lived token expires quite quickly. It also reduces the harm if users don't click the "sign out" button actively when they leave the site, since whatever credential they have is going to go away if not used within 15 minutes. (By contrast, Knox only has one token class, which is a lot simpler and this seems like a big win for sites that don't need full federated Oauth.)

The problem is that, if I use this auto refresh feature (also called "sliding tokens") and an attacker does steal a token, as I understand, they can refresh it indefinitely, as long as they make some request with it every 15 minutes (for example). So that escalates theft of a single token, which ideally would be valid at most 24 hours, into a permanent break, where the attacker potentially has access to this user's account forever.

There are things that I could do to mitigate that, like, rotating the django-secret-key on a 24-48 hour basis or something like this. But that has a lot of other consequences, for example it may cause the challenges in password reset and invite emails to rotate prematurely, since they are also derived from the django-secret-key.

Would you be interested in a patch that allows me to turn on auto-refresh with a short token lifetime, but have a second maximum lifetime, which if exceeded, disallows token refresh and forces the user to log back in again with their password?
@Nyantekyi
Copy link

I perfectly agree with you... I am currently on a project and if this update is done my life would literally be so much better. As it stands now I am planning on automatically deleting all tokens on the front end at a set time each day to force a new log in..

@johnraz
Copy link
Collaborator

johnraz commented Oct 21, 2023

Seems legit to me 👌🏻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@johnraz @cbeck88 @Nyantekyi