Support expiry of refresh tokens and expiry of the overall session when refresh tokens are in use. (#11425)

2025-05-02 14:06:02 -04:00 · 2021-11-26 14:27:14 +00:00 · 2021-11-26 14:27:14 +00:00 · 1d8b80b334
commit 1d8b80b334
parent e2c300e7e4
8 changed files with 338 additions and 54 deletions
--- a/synapse/storage/databases/main/registration.py
+++ b/synapse/storage/databases/main/registration.py
@ -106,6 +106,15 @@ class RefreshTokenLookupResult:
    has_next_access_token_been_used: bool
    """True if the next access token was already used at least once."""

+    expiry_ts: Optional[int]
+    """The time at which the refresh token expires and can not be used.
+    If None, the refresh token doesn't expire."""
+
+    ultimate_session_expiry_ts: Optional[int]
+    """The time at which the session comes to an end and can no longer be
+    refreshed.
+    If None, the session can be refreshed indefinitely."""
+

 class RegistrationWorkerStore(CacheInvalidationWorkerStore):
    def __init__(
@ -1626,8 +1635,10 @@ class RegistrationWorkerStore(CacheInvalidationWorkerStore):
                    rt.user_id,
                    rt.device_id,
                    rt.next_token_id,
-                    (nrt.next_token_id IS NOT NULL) has_next_refresh_token_been_refreshed,
-                    at.used has_next_access_token_been_used
+                    (nrt.next_token_id IS NOT NULL) AS has_next_refresh_token_been_refreshed,
+                    at.used AS has_next_access_token_been_used,
+                    rt.expiry_ts,
+                    rt.ultimate_session_expiry_ts
                FROM refresh_tokens rt
                LEFT JOIN refresh_tokens nrt ON rt.next_token_id = nrt.id
                LEFT JOIN access_tokens at ON at.refresh_token_id = nrt.id
@ -1648,6 +1659,8 @@ class RegistrationWorkerStore(CacheInvalidationWorkerStore):
                has_next_refresh_token_been_refreshed=row[4],
                # This column is nullable, ensure it's a boolean
                has_next_access_token_been_used=(row[5] or False),
+                expiry_ts=row[6],
+                ultimate_session_expiry_ts=row[7],
            )

        return await self.db_pool.runInteraction(
@ -1915,6 +1928,8 @@ class RegistrationStore(StatsStore, RegistrationBackgroundUpdateStore):
        user_id: str,
        token: str,
        device_id: Optional[str],
+        expiry_ts: Optional[int],
+        ultimate_session_expiry_ts: Optional[int],
    ) -> int:
        """Adds a refresh token for the given user.

@ -1922,6 +1937,13 @@ class RegistrationStore(StatsStore, RegistrationBackgroundUpdateStore):
            user_id: The user ID.
            token: The new access token to add.
            device_id: ID of the device to associate with the refresh token.
+            expiry_ts (milliseconds since the epoch): Time after which the
+                refresh token cannot be used.
+                If None, the refresh token never expires until it has been used.
+            ultimate_session_expiry_ts (milliseconds since the epoch):
+                Time at which the session will end and can not be extended any
+                further.
+                If None, the session can be refreshed indefinitely.
        Raises:
            StoreError if there was a problem adding this.
        Returns:
@ -1937,6 +1959,8 @@ class RegistrationStore(StatsStore, RegistrationBackgroundUpdateStore):
                "device_id": device_id,
                "token": token,
                "next_token_id": None,
+                "expiry_ts": expiry_ts,
+                "ultimate_session_expiry_ts": ultimate_session_expiry_ts,
            },
            desc="add_refresh_token_to_user",
        )