avoid using refresh tokens which are expired

- this will prevent galaxy spamming the auth provider endpoint with doomed refresh attempts for each of these users' request -afaik the consensus is that we do not log out user in this case atm, details in galaxyproject#15300
martenson · Jan 16, 2025 · 2832aa3 · 2832aa3
1 parent 4e781cd
commit 2832aa3
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/lib/galaxy/authnz/custos_authnz.py b/lib/galaxy/authnz/custos_authnz.py
@@ -118,9 +118,14 @@ def refresh(self, trans, custos_authnz_token):
         if custos_authnz_token is None:
             raise exceptions.AuthenticationFailed("cannot find authorized user while refreshing token")
         id_token_decoded = self._decode_token_no_signature(custos_authnz_token.id_token)
-        # do not refresh tokens if they didn't reach their half lifetime
+        # do not refresh tokens if the id_token didn't reach its half-life
         if int(id_token_decoded["iat"]) + int(id_token_decoded["exp"]) > 2 * int(time.time()):
             return False
+        refresh_token_decoded = self._decode_token_no_signature(custos_authnz_token.refresh_token)
+        # do not attempt to use refresh token that is already expired
+        if int(refresh_token_decoded["exp"]) > int(time.time()):
+            # in the future we might want to log out the user here
+            return False
         log.info(custos_authnz_token.access_token)
         oauth2_session = self._create_oauth2_session()
         token_endpoint = self.config.token_endpoint