tests and manual

Author: BernhardKoschicek

openatlas/__init__.py

@@ -139,8 +139,9 @@ def check_incoming_tokens(
         jwt_payload: dict[str, Any]) -> bool:
     if not jwt_header['typ'] == 'JWT':
         return True
-    # todo: add user active check. maybe add it to sql query
     token_ = check_token_revoked(jwt_payload["jti"])
-    if token_['revoked'] or token_['valid_until'] < datetime.datetime.now():
+    if token_['revoked'] \
+            or not token_['active'] \
+            or token_['valid_until'] < datetime.datetime.now():
         return True
     return False

openatlas/database/token.py

@@ -17,8 +17,12 @@ def get_tokens(
         WHERE TRUE
             {'AND user_id = %(user_id)s' if int(user_id) else ''}
             {'AND revoked = %(revoked)s' if revoked != 'all' else ''}
-            {'AND valid_until ' + valid + ' timestamp %(timestamp)s' if valid != 'all' else ''};
-        """, {'user_id': user_id, 'revoked': revoked, 'timestamp': str(datetime.now())})
+            {'AND valid_until ' + valid + ' timestamp %(timestamp)s' 
+            if valid != 'all' else ''};
+        """, {
+            'user_id': user_id,
+            'revoked': revoked,
+            'timestamp': str(datetime.now())})
     return [dict(row) for row in g.cursor.fetchall()]
 
 
@@ -72,10 +76,12 @@ def delete_invalid_tokens(inactive_user_ids: list[int]) -> None:
 def check_token_revoked(jti: str) -> dict[str, Any]:
     g.cursor.execute(
         """
-        SELECT revoked, valid_until FROM web.user_tokens WHERE jti = %(jti)s;
+        SELECT t.revoked, t.valid_until, u.active
+        FROM web.user_tokens t 
+        LEFT JOIN web.user u ON t.user_id = u.id
+        WHERE jti = %(jti)s;
         """, {'jti': jti})
+    token = {'revoked': True, 'valid_until': True, 'active': True}
     if row := g.cursor.fetchone():
-        token = {'revoked': row[0], 'valid_until': row[1]}
-    else:
-        token = {'revoked': True, 'valid_until': True}
+        token = {'revoked': row[0], 'valid_until': row[1], 'active': row[2]}
     return token

sphinx/source/admin/api.rst

@@ -21,4 +21,35 @@ Description: :doc:`/technical/api`
 **Token**
 ---------
 
-API Tokens can be created to query the API if it is turned off.
+API Tokens can be created to query the API if it is turned off. Only Admins
+are allowed to create, revoke and delete tokens.
+
+.. _valid tokens:
+
+A token is valid if:
+    * **valid from** is greater than current date
+    * **revoked** is *false*, meaning the token is not revoked
+    * :ref:`user` is active
+
+Available options are:
+    * **Generate**: :ref:`generate` a new token
+    * **Revoke all tokens**: Revoke all available tokens
+    * **Authorize all tokens**: All revoked tokens will be valid again
+    * **Delete revoked tokens**: All revoked tokens will be deleted
+    * **Delete invalid tokens**: All invalid tokens will be deleted (see :ref:`valid tokens`)
+
+.. _generate:
+
+**Generate Token**
+******************
+
+* **Expiration**:
+    Set how long a token is valid. Entered numbers are days. 0 means no expiration date
+* **Token name**:
+    To better distinguish between tokens, a individual name can be entered
+* **User**:
+    Select a :ref:`user` for which the token will be created
+
+After the *Generate* button is clicked, the site will reload and a grey box appears.
+In this box the token string will be visible and is copied on click.
+Be aware, this is the only time, the token will be visible!

sphinx/source/admin/user.rst

@@ -1,6 +1,8 @@
 User
 ====
 
+.. _user:
+
 .. toctree::
 
 In the overview users and information on their group, email, created/last

tests/test_token.py

@@ -2,7 +2,6 @@
 from flask_jwt_extended import decode_token
 
 from openatlas.database.token import get_tokens
-from openatlas.models.user import User
 from openatlas import app, check_incoming_tokens
 from tests.base import TestBaseCase
 
@@ -77,17 +76,19 @@ def test_token(self) -> None:
             g.settings['api_public'] = False
             c.get(url_for('logout'))
             for token in jwt_token_strings:
-                #decoded = decode_token(token)
-                #check = check_incoming_tokens({'typ': 'JWT'}, decoded)
-                #assert check is True if decoded['sub'] in ['Alice', 'Inactive'] else False
-
-                # should fail if check_incoming_tokens checks for user active
+                decoded = decode_token(token)
                 rv = c.get(
                     url_for('api_04.class_mapping', locale='de'),
                     headers={'Authorization': f'Bearer {token}'})
-                assert b'results' in rv.data
-
-            # assert check_incoming_tokens({'typ': 'Unknown'}, decoded) is True
+                if decoded['sub'] in ['Alice', 'Inactive']:
+                    assert b'Token has been revoked' in rv.data
+                else:
+                    assert b'results' in rv.data
+
+            assert check_incoming_tokens({'typ': 'Unknown'}, decoded) is True
+            c.post(
+                url_for('login'),
+                data={'username': 'Alice', 'password': 'test'})
 
         rv = c.get(url_for('delete_revoked_tokens'), follow_redirects=True)
         assert b'All revoked tokens deleted' in rv.data