Refactor Access Tokens (#2651)

- Make session token-based instead of user-based - Clear current session access tokens on logout - Introduce increment ID so we can show tokens to moderators in the future without exposing secrets - Switch to type classes to manage the different token types. New implementation fixes #2075 - Drop ability to customize lifetime per-token - Add developer access keys that don't expire. These must be created from the database for now - Add title in preparation for the developer token UI - Add IP and user agent logging - Delete all non-remember tokens in migration
2025-07-16 06:16:23 +02:00 · 2021-03-04 22:50:38 +01:00
parent 9c47ccd1fd
commit 965b713a27
28 changed files with 772 additions and 53 deletions
--- a/framework/core/migrations/2021_03_02_040000_change_access_tokens_add_type.php
+++ b/framework/core/migrations/2021_03_02_040000_change_access_tokens_add_type.php
@ -0,0 +1,43 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Schema\Builder;
+
+return [
+    'up' => function (Builder $schema) {
+        $schema->table('access_tokens', function (Blueprint $table) {
+            $table->string('type', 100)->index();
+        });
+
+        // Since all active sessions will stop working on update due to switching from user_id to access_token
+        // We can do things simple here by terminating all tokens that have the previously default lifetime
+        $schema->getConnection()->table('access_tokens')
+            ->where('lifetime_seconds', 3600)
+            ->delete();
+
+        // We will then assume that all remaining tokens are remember tokens
+        // This will include tokens that previously had a custom lifetime
+        $schema->getConnection()->table('access_tokens')
+            ->update([
+                'type' => 'session_remember',
+            ]);
+
+        $schema->table('access_tokens', function (Blueprint $table) {
+            $table->dropColumn('lifetime_seconds');
+        });
+    },
+
+    'down' => function (Builder $schema) {
+        $schema->table('access_tokens', function (Blueprint $table) {
+            $table->dropColumn('type');
+            $table->integer('lifetime_seconds');
+        });
+    }
+];
--- a/framework/core/migrations/2021_03_02_040500_change_access_tokens_add_id.php
+++ b/framework/core/migrations/2021_03_02_040500_change_access_tokens_add_id.php
@ -0,0 +1,35 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Schema\Builder;
+
+return [
+    'up' => function (Builder $schema) {
+        $schema->table('access_tokens', function (Blueprint $table) {
+            // Replace primary key with unique index so we can create a new primary
+            $table->dropPrimary('token');
+            $table->unique('token');
+        });
+
+        // This needs to be done in a second statement because of the order Laravel runs operations in
+        $schema->table('access_tokens', function (Blueprint $table) {
+            // Introduce new increment-based ID
+            $table->increments('id')->first();
+        });
+    },
+
+    'down' => function (Builder $schema) {
+        $schema->table('access_tokens', function (Blueprint $table) {
+            $table->dropColumn('id');
+            $table->dropIndex('token');
+            $table->primary('token');
+        });
+    }
+];
--- a/framework/core/migrations/2021_03_02_041000_change_access_tokens_add_title_ip_agent.php
+++ b/framework/core/migrations/2021_03_02_041000_change_access_tokens_add_title_ip_agent.php
@ -0,0 +1,21 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+use Flarum\Database\Migration;
+
+return Migration::addColumns('access_tokens', [
+    'title' => ['string', 'length' => 150, 'nullable' => true],
+    // Accommodates both IPv4 and IPv6 as strings
+    'last_ip_address' => ['string', 'length' => 45, 'nullable' => true],
+    // Technically, there's no limit to a user agent length
+    // Most are around 150 in length, and the general recommendation seems to be below 200
+    // We're going to use the longest string possible to be safe
+    // There will still be exceptions, we'll just truncate them
+    'last_user_agent' => ['string', 'length' => 255, 'nullable' => true],
+]);