Adjusted jwt access token exp expiry value to 5 days from seven, also confirmed it works and an expired token loses access and adjusted the skew to 0

2021-11-12 18:10:39 +00:00
parent eba68efc19
commit 000b53ea1e
4 changed files with 24 additions and 6 deletions
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -55,7 +55,7 @@
        "AYANOVA_FOLDER_USER_FILES": "c:\\temp\\RavenTestData\\userfiles",
        "AYANOVA_FOLDER_BACKUP_FILES": "c:\\temp\\RavenTestData\\backupfiles",
        "AYANOVA_FOLDER_TEMPORARY_SERVER_FILES": "c:\\temp\\RavenTestData\\tempfiles",
-        //"AYANOVA_SERVER_TEST_MODE": "false",
+        "AYANOVA_SERVER_TEST_MODE": "false",
        "AYANOVA_SERVER_TEST_MODE_SEEDLEVEL": "small",
        "AYANOVA_SERVER_TEST_MODE_TZ_OFFSET": "-8",
        "AYANOVA_BACKUP_PG_DUMP_PATH": "C:\\data\\code\\postgres_14\\bin\\"
--- a/docs/8.0/ayanova/docs/ops-config-jwt-secret.md
+++ b/docs/8.0/ayanova/docs/ops-config-jwt-secret.md
@@ -5,9 +5,9 @@ AyaNova uses JSON Web Tokens (JWT) for authentication.
 These time limited tokens are signed by the server using a secret key and issued to users when they log in to the AyaNova server.
 Every time the user makes a request to the server the JWT is sent along as well and verified to be valid.

-Tokens have a built in expiry mechanism of 7 days from issue to force users to re-login at periodic intervals.
+Tokens have a built in expiry mechanism of 5 days from issue.

-Users can be prevented from logging in even if they have a valid token by setting them to inactive.
+Users can be prevented from logging in or accessing the server by setting them inactive which takes effect immediately regardless of how many days are left on their current access token.

 All active tokens previously issued can be invalidated by changing this JWT Secret setting and restarting the server (or restarting the server and allowing it to choose a new secret value randomly if none is specified).

--- a/server/AyaNova/Controllers/AuthController.cs
+++ b/server/AyaNova/Controllers/AuthController.cs
@@ -32,7 +32,7 @@ namespace AyaNova.Api.Controllers
        private readonly ILogger<AuthController> log;
        private readonly IConfiguration _configuration;
        private readonly ApiServerState serverState;
-        private const int JWT_LIFETIME_DAYS = 7;
+        private const int JWT_LIFETIME_DAYS = 5;

        /// <summary>
        /// ctor
@@ -313,7 +313,25 @@ namespace AyaNova.Api.Controllers

            //create a new datetime offset of now in utc time
            var iat = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero);//timespan zero means zero time off utc / specifying this is a UTC datetime
+            
+            //###################################
+            //Lifetime of jwt token
+            //after this point the user will no longer be able to make requests without logging in again 
+            //and the client will automatically send them to the login screen          
+            //so this is auto logout after this time period
+            
+            //security wise  the length of time is not an issue how long this is because our system allows to revoke tokens as they are checked on every access
+            //the adivce online is to make it short and use refresh tokens but that's not an issue with our system since we both issue and validate
+            //the tokens ourselves
+
+            //The only down side is that an expired license at the server will not prevent people from continuing to work until their token expires
+            //an expired license only stops a fresh login
+            //so whatever this value is will allow people who haven't logged out to continue to work until it expires
+
+            //so this really only controls how long we allow them to work with an expired ayanova license which would be a rare occurence I suspect 
+            //so really to prevent fuckery for people 5 days seems fine meaning they won't need to sign in again all business week if they want to continue working
            var exp = new DateTimeOffset(DateTime.Now.AddDays(JWT_LIFETIME_DAYS).ToUniversalTime(), TimeSpan.Zero);
+            


            //=============== download token ===================                  
@@ -602,7 +620,7 @@ namespace AyaNova.Api.Controllers
            //https://github.com/google/google-authenticator/wiki/Key-Uri-Format
            //otpauth://totp/ACME%20Co:john.doe@email.com?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30
            //this format tested and works with Google, Microsoft Authy, Duo authenticators
-            string payload = $"otpauth://totp/AyaNova:{u.Name}?secret={u.TotpSecret}&issuer=AyaNova&algorithm=SHA1&digits=6&period=30";
+            string payload = $"otpauth://totp/AyaNova:{u.Name}?secret={u.TotpSecret}&issuer=AyaNova&algorithm=SHA1&digits=6&period=30";//NOTE: the 30 here is seconds the totp code is allowed to be used before a new one is required

            QRCodeGenerator qrGenerator = new QRCodeGenerator();
            QRCodeData qrCodeData = qrGenerator.CreateQrCode(payload, QRCodeGenerator.ECCLevel.Q);
--- a/server/AyaNova/Startup.cs
+++ b/server/AyaNova/Startup.cs
@@ -295,7 +295,7 @@ namespace AyaNova
                        // Token will only be valid if not expired yet, with 5 minutes clock skew.
                        ValidateLifetime = true,
                        RequireExpirationTime = true,
-                        ClockSkew = new TimeSpan(0, 5, 0),
+                        ClockSkew = TimeSpan.Zero//new TimeSpan(0, 0, 2),
                    };
                });