Make refresh tokens rotate

Author: Liam S. Crouch

phoenixRest/__init__.py

@@ -39,6 +39,8 @@
 
 from phoenixRest.services import ServiceManager, setup_service_manager
 
+OAUTH_EXPIRY = 1*60 if "DEBUG" in os.environ else 10*60
+
 @subscriber(NewRequest)
 def log_request(evt):
     log.info("%s %s" % (evt.request.method, evt.request.url))
@@ -100,7 +102,7 @@ def main(global_config, **settings):
     # JWT
     config.set_authorization_policy(ACLAuthorizationPolicy())
     config.include('pyramid_jwt')
-    config.set_jwt_authentication_policy(JWT_SECRET, auth_type="Bearer" ,expiration=60*60 if "DEBUG" in os.environ else 10*60, callback=add_role_principals)
+    config.set_jwt_authentication_policy(JWT_SECRET, auth_type="Bearer" ,expiration=OAUTH_EXPIRY, callback=add_role_principals)
 
     # Pillow renderer
     config.add_renderer("pillow", ".features.pillow_renderer.PillowRendererFactory")

phoenixRest/views/user/oauth.py

@@ -12,6 +12,7 @@
 from phoenixRest.models.core.event import get_current_event
 from phoenixRest.models.core.oauth.oauthCode import OauthCode
 from phoenixRest.models.core.oauth.refreshToken import OauthRefreshToken
+from phoenixRest import OAUTH_EXPIRY
 
 from phoenixRest.utils import validate
 
@@ -147,12 +148,15 @@ def token(request):
                 "error": "Invalid token"
             }
 
-        #refreshToken.refresh()
+        refreshToken.refresh()
+        request.db.add(refreshToken)
         # The refresh token was valid
 
         return {
             'access_token': generate_token(refreshToken.user, request),
-            #'refresh_token': refreshToken.token
+            'token_type': "Bearer",
+            'refresh_token': refreshToken.token,
+            'expires': OAUTH_EXPIRY
         }
     else:
         request.response.status = 400