Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(auth): add workspaceId validation and token expiration #9134

Merged
merged 2 commits into from
Dec 18, 2024
Merged

feat(auth): add workspaceId validation and token expiration #9134

merged 2 commits into from
Dec 18, 2024

Conversation

AMoreaux
Copy link
Contributor

@AMoreaux AMoreaux commented Dec 18, 2024
edited
Loading

Added validation to ensure refresh tokens include a workspaceId, throwing an exception for malformed tokens. Included workspaceId in payloads and introduced expiration handling for access tokens. This enhances token security and prevents potential misuse.

Close #9126

@AMoreaux
feat(auth): add workspaceId validation and token expiration
f8dac40 
Added validation to ensure refresh tokens include a workspaceId, throwing an exception for malformed tokens. Included workspaceId in payloads and introduced expiration handling for access tokens. This enhances token security and prevents potential misuse.
@AMoreaux AMoreaux self-assigned this Dec 18, 2024
greptile-apps[bot]
greptile-apps bot reviewed Dec 18, 2024
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Summary

Enhanced token security by implementing workspaceId validation and expiration handling for both access and refresh tokens in the authentication system.

  • Added expiresIn parameter to access token signing in /packages/twenty-server/src/engine/core-modules/auth/token/services/access-token.service.ts for automatic token expiration
  • Implemented workspaceId validation in /packages/twenty-server/src/engine/core-modules/auth/token/services/refresh-token.service.ts with AuthException handling
  • Added workspaceId to refresh token payload structure for improved context validation
  • Enhanced workspace membership verification before token generation

2 file(s) reviewed, no comment(s)
Edit PR Review Bot Settings | Greptile

AMoreaux
AMoreaux commented Dec 18, 2024
View reviewed changes
packages/twenty-server/src/engine/core-modules/auth/token/services/refresh-token.service.ts
Comment on lines +93 to +98
if (!token.workspaceId) {
throw new AuthException(
'This refresh token is malformed',
AuthExceptionCode.INVALID_INPUT,
);
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This error allows the front to redirect to the login page when the token has no workspace.
Instead, it's a blocking error that forces the user to clean his browser storage.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Users should all meet it when we will deploy.
In 90d it will be useless.

@AMoreaux
refactor(auth): annotate deprecation for token workspace check
d5db062 
Added a TODO comment to mark the workspaceId validation for removal after March 31st. This prepares for planned cleanup and ensures clear communication of future changes.
@FelixMalfait FelixMalfait merged commit a2423fa into main Dec 18, 2024
21 of 22 checks passed
@FelixMalfait FelixMalfait deleted the fix/refresh-token branch December 18, 2024 17:56
@github-actions GitHub Actions
Copy link

Thanks @AMoreaux for your contribution!
This marks your 32nd PR on the repo. You're top 2% of all our contributors 🎉
See contributor page - Share on LinkedIn - Share on Twitter

Contributions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@FelixMalfait FelixMalfait FelixMalfait approved these changes

@charlesBochet charlesBochet Awaiting requested review from charlesBochet

Assignees

@AMoreaux AMoreaux

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(auth): refresh token should works
2 participants
@AMoreaux @FelixMalfait