Implement access token expiry (#5660)

Record how long an access token is valid for, and raise a soft-logout once it expires.
2025-08-06 09:04:11 -04:00 · 2019-07-12 17:26:02 +01:00 · 2019-07-12 17:26:02 +01:00 · 5f158ec039
commit 5f158ec039
parent 24aa0e0a5b
14 changed files with 255 additions and 33 deletions
--- a/synapse/storage/registration.py
+++ b/synapse/storage/registration.py
@ -90,7 +90,8 @@ class RegistrationWorkerStore(SQLBaseStore):
            token (str): The access token of a user.
        Returns:
            defer.Deferred: None, if the token did not match, otherwise dict
-                including the keys `name`, `is_guest`, `device_id`, `token_id`.
+                including the keys `name`, `is_guest`, `device_id`, `token_id`,
+                `valid_until_ms`.
        """
        return self.runInteraction(
            "get_user_by_access_token", self._query_for_auth, token
@ -284,7 +285,7 @@ class RegistrationWorkerStore(SQLBaseStore):
    def _query_for_auth(self, txn, token):
        sql = (
            "SELECT users.name, users.is_guest, access_tokens.id as token_id,"
-            " access_tokens.device_id"
+            " access_tokens.device_id, access_tokens.valid_until_ms"
            " FROM users"
            " INNER JOIN access_tokens on users.name = access_tokens.user_id"
            " WHERE token = ?"
@ -679,14 +680,16 @@ class RegistrationStore(
        defer.returnValue(batch_size)

    @defer.inlineCallbacks
-    def add_access_token_to_user(self, user_id, token, device_id=None):
+    def add_access_token_to_user(self, user_id, token, device_id, valid_until_ms):
        """Adds an access token for the given user.

        Args:
            user_id (str): The user ID.
            token (str): The new access token to add.
            device_id (str): ID of the device to associate with the access
-               token
+                token
+            valid_until_ms (int|None): when the token is valid until. None for
+                no expiry.
        Raises:
            StoreError if there was a problem adding this.
        """
@ -694,7 +697,13 @@ class RegistrationStore(

        yield self._simple_insert(
            "access_tokens",
-            {"id": next_id, "user_id": user_id, "token": token, "device_id": device_id},
+            {
+                "id": next_id,
+                "user_id": user_id,
+                "token": token,
+                "device_id": device_id,
+                "valid_until_ms": valid_until_ms,
+            },
            desc="add_access_token_to_user",
        )