mirror/php-flarum
1
0
Fork 0
mirror of https://github.com/flarum/core.git synced 2025-10-12 23:44:27 +02:00
Code Issues Releases Wiki Activity

Refactor Access Tokens (#2651)

Browse Source 
- Make session token-based instead of user-based
- Clear current session access tokens on logout
- Introduce increment ID so we can show tokens to moderators in the future without exposing secrets
- Switch to type classes to manage the different token types. New implementation fixes #2075
- Drop ability to customize lifetime per-token
- Add developer access keys that don't expire. These must be created from the database for now
- Add title in preparation for the developer token UI
- Add IP and user agent logging
- Delete all non-remember tokens in migration
This commit is contained in:
Clark Winkelmann
2021-03-04 22:50:38 +01:00
committed by GitHub
parent 8eef7230e9
commit 08ba2599d7
28 changed files with 772 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/Api/Controller/CreateTokenController.php
View File

@@ -9,7 +9,8 @@
namespace Flarum\Api\Controller;
use Flarum\Http\AccessToken;
use Flarum\Http\RememberAccessToken;
use Flarum\Http\SessionAccessToken;
use Flarum\User\Exception\NotAuthenticatedException;
use Flarum\User\UserRepository;
use Illuminate\Contracts\Bus\Dispatcher as BusDispatcher;
@@ -66,8 +67,20 @@ class CreateTokenController implements RequestHandlerInterface
throw new NotAuthenticatedException;
}
$token = AccessToken::generate($user->id, $lifetime);
$token->save();
// Use of lifetime attribute is deprecated in beta 16, removed in beta 17
// For backward compatibility with custom integrations, longer lifetimes will be interpreted as remember tokens
if ($lifetime > 3600 || Arr::get($body, 'remember')) {
if ($lifetime > 3600) {
trigger_error('Use of parameter lifetime is deprecated in beta 16, will be removed in beta 17. Use remember parameter to start a remember session', E_USER_DEPRECATED);
}
$token = RememberAccessToken::generate($user->id);
} else {
$token = SessionAccessToken::generate($user->id);
}
// We do a first update here to log the IP/agent of the token creator, even if the token is never used afterwards
$token->touch($request);
return new JsonResponse([
'token' => $token->token,