Refactor Access Tokens (#2651)

- Make session token-based instead of user-based - Clear current session access tokens on logout - Introduce increment ID so we can show tokens to moderators in the future without exposing secrets - Switch to type classes to manage the different token types. New implementation fixes #2075 - Drop ability to customize lifetime per-token - Add developer access keys that don't expire. These must be created from the database for now - Add title in preparation for the developer token UI - Add IP and user agent logging - Delete all non-remember tokens in migration
2025-10-17 01:36:09 +02:00 · 2021-03-04 22:50:38 +01:00
parent 8eef7230e9
commit 08ba2599d7
28 changed files with 772 additions and 53 deletions
--- a/src/Http/Middleware/AuthenticateWithSession.php
+++ b/src/Http/Middleware/AuthenticateWithSession.php
@@ -9,8 +9,8 @@

 namespace Flarum\Http\Middleware;

+use Flarum\Http\AccessToken;
 use Flarum\User\Guest;
-use Flarum\User\User;
 use Illuminate\Contracts\Session\Session;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
@@ -23,7 +23,7 @@ class AuthenticateWithSession implements Middleware
    {
        $session = $request->getAttribute('session');

-        $actor = $this->getActor($session);
+        $actor = $this->getActor($session, $request);

        $actor->setSession($session);

@@ -32,14 +32,25 @@ class AuthenticateWithSession implements Middleware
        return $handler->handle($request);
    }

-    private function getActor(Session $session)
+    private function getActor(Session $session, Request $request)
    {
-        $actor = User::find($session->get('user_id')) ?: new Guest;
+        if ($session->has('access_token')) {
+            $token = AccessToken::findValid($session->get('access_token'));

-        if ($actor->exists) {
-            $actor->updateLastSeen()->save();
+            if ($token) {
+                $actor = $token->user;
+                $actor->updateLastSeen()->save();
+
+                $token->touch($request);
+
+                return $actor;
+            }
+
+            // If this session used to have a token which is no longer valid we properly refresh the session
+            $session->invalidate();
+            $session->regenerateToken();
        }

-        return $actor;
+        return new Guest;
    }
 }