From 2832aa35916f6ed608629ce6c1557b2ec39c2392 Mon Sep 17 00:00:00 2001 From: Martin Cech Date: Thu, 16 Jan 2025 12:59:14 +0100 Subject: [PATCH] avoid using refresh tokens which are expired - this will prevent galaxy spamming the auth provider endpoint with doomed refresh attempts for each of these users' request -afaik the consensus is that we do not log out user in this case atm, details in https://github.com/galaxyproject/galaxy/pull/15300 --- lib/galaxy/authnz/custos_authnz.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/galaxy/authnz/custos_authnz.py b/lib/galaxy/authnz/custos_authnz.py index 4343f1554fd2..ffa02e038059 100644 --- a/lib/galaxy/authnz/custos_authnz.py +++ b/lib/galaxy/authnz/custos_authnz.py @@ -118,9 +118,14 @@ def refresh(self, trans, custos_authnz_token): if custos_authnz_token is None: raise exceptions.AuthenticationFailed("cannot find authorized user while refreshing token") id_token_decoded = self._decode_token_no_signature(custos_authnz_token.id_token) - # do not refresh tokens if they didn't reach their half lifetime + # do not refresh tokens if the id_token didn't reach its half-life if int(id_token_decoded["iat"]) + int(id_token_decoded["exp"]) > 2 * int(time.time()): return False + refresh_token_decoded = self._decode_token_no_signature(custos_authnz_token.refresh_token) + # do not attempt to use refresh token that is already expired + if int(refresh_token_decoded["exp"]) > int(time.time()): + # in the future we might want to log out the user here + return False log.info(custos_authnz_token.access_token) oauth2_session = self._create_oauth2_session() token_endpoint = self.config.token_endpoint