Elgato_dark/appwrite
1
0
Fork 0
mirror of https://github.com/appwrite/appwrite synced 2026-05-06 06:48:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge pull request #10329 from appwrite/fix-token-expiry

Browse source 
fix - incorrect file token expiry
This commit is contained in:
Steven Nguyen 2025-08-22 15:32:43 -07:00 committed by GitHub
commit 4a6a8053c4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 96 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
src/Appwrite/Utopia/Response/Model/ResourceToken.php
View file

@ -61,24 +61,28 @@ class ResourceToken extends Model
public function filter(Document $document): Document
{
$maxAge = PHP_INT_MAX;
$expire = $document->getAttribute('expire');
if ($expire !== null) {
$now = new \DateTime();
$expiryDate = new \DateTime($expire);
// Use a large but reasonable maxAge to avoid auto-exp when we set explicit exp
$jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 86400 * 365 * 10, 10); // 10 years
// set 1 min if expired, we check for expiry later on route hooks for validation!
$maxAge = min(60, $expiryDate->getTimestamp() - $now->getTimestamp());
}
$jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', $maxAge, 10);
$secret = $jwt->encode([
$payload = [
'tokenId' => $document->getId(),
'resourceId' => $document->getAttribute('resourceId'),
'resourceType' => $document->getAttribute('resourceType'),
'resourceInternalId' => $document->getAttribute('resourceInternalId'),
]);
];
// Set explicit expiration in JWT payload if we have an expiry date
if ($expire !== null) {
$expiryDate = new \DateTime($expire);
$payload['exp'] = $expiryDate->getTimestamp();
} else {
// For infinite expiry, set 'iat' to prevent JWT library from auto-adding 'exp'
$payload['iat'] = time();
}
$secret = $jwt->encode($payload);
$document->setAttribute('secret', $secret);

81
tests/e2e/Services/Tokens/TokensConsoleClientTest.php
View file

@ -2,6 +2,8 @@
namespace Tests\E2E\Services\Tokens;
use Ahc\Jwt\JWT;
use Ahc\Jwt\JWTException;
use CURLFile;
use Tests\E2E\Client;
use Tests\E2E\Scopes\ProjectCustom;
@ -12,6 +14,7 @@ use Utopia\Database\Helpers\ID;
use Utopia\Database\Helpers\Permission;
use Utopia\Database\Helpers\Role;
use Utopia\Database\Validator\Datetime as DatetimeValidator;
use Utopia\System\System;
class TokensConsoleClientTest extends Scope
{
@ -67,6 +70,28 @@ class TokensConsoleClientTest extends Scope
$this->assertEquals(201, $token['headers']['status-code']);
$this->assertEquals('files', $token['body']['resourceType']);
$this->assertNotEmpty($token['body']['$id']);
$this->assertNotEmpty($token['body']['secret']);
// Verify the generated token JWT contains correct resource information
$jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 86400 * 365 * 10, 10); // 10 years maxAge
try {
$payload = $jwt->decode($token['body']['secret']);
$this->assertIsArray($payload, 'JWT payload should decode to an array');
$this->assertArrayHasKey('tokenId', $payload, 'JWT payload should contain tokenId');
$this->assertArrayHasKey('resourceId', $payload, 'JWT payload should contain resourceId');
$this->assertArrayHasKey('resourceType', $payload, 'JWT payload should contain resourceType');
$this->assertArrayHasKey('resourceInternalId', $payload, 'JWT payload should contain resourceInternalId');
$this->assertEquals($token['body']['$id'], $payload['tokenId'], 'JWT tokenId should match token ID');
$this->assertEquals($bucketId . ':' . $fileId, $payload['resourceId'], 'JWT resourceId should match bucketId:fileId format');
$this->assertEquals('files', $payload['resourceType'], 'JWT resourceType should be files');
// For newly created tokens without expiry, should not have exp field
$this->assertArrayNotHasKey('exp', $payload, 'JWT payload should not contain exp field for tokens without expiry');
} catch (JWTException $e) {
$this->fail('Failed to decode JWT: ' . $e->getMessage());
}
return [
'fileId' => $fileId,
@ -94,6 +119,21 @@ class TokensConsoleClientTest extends Scope
$dateValidator = new DatetimeValidator();
$this->assertTrue($dateValidator->isValid($token['body']['expire']));
// Verify JWT contains correct expiration using native JWT decode
$this->assertNotEmpty($token['body']['secret']);
$jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 86400 * 365 * 10, 10); // 10 years maxAge
try {
$payload = $jwt->decode($token['body']['secret']);
$this->assertIsArray($payload, 'JWT payload should decode to an array');
$this->assertArrayHasKey('exp', $payload, 'JWT payload should contain exp field');
$expectedExp = (new \DateTime($expiry))->getTimestamp();
$this->assertEquals($expectedExp, $payload['exp'], 'JWT exp should match token expiry');
} catch (JWTException $e) {
$this->fail('Failed to decode JWT: ' . $e->getMessage());
}
// Infinite expiry
$token = $this->client->call(Client::METHOD_PATCH, '/tokens/' . $tokenId, array_merge([
'content-type' => 'application/json',
@ -104,6 +144,15 @@ class TokensConsoleClientTest extends Scope
$this->assertEmpty($token['body']['expire']);
// Verify JWT does not contain exp for infinite expiry using native JWT decode
try {
$payload = $jwt->decode($token['body']['secret']);
$this->assertIsArray($payload, 'JWT payload should decode to an array');
$this->assertArrayNotHasKey('exp', $payload, 'JWT payload should not contain exp field for infinite expiry');
} catch (JWTException $e) {
$this->fail('Failed to decode JWT: ' . $e->getMessage());
}
return $data;
}
@ -123,6 +172,38 @@ class TokensConsoleClientTest extends Scope
$this->assertIsArray($res['body']);
$this->assertEquals(200, $res['headers']['status-code']);
$this->assertArrayHasKey('tokens', $res['body']);
$this->assertIsArray($res['body']['tokens']);
$this->assertGreaterThan(0, count($res['body']['tokens']), 'Should have at least one token');
// Verify each token in the list
$jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 86400 * 365 * 10, 10); // 10 years maxAge
foreach ($res['body']['tokens'] as $token) {
$this->assertArrayHasKey('$id', $token, 'Token should have an ID');
$this->assertArrayHasKey('secret', $token, 'Token should have a secret');
$this->assertArrayHasKey('resourceType', $token, 'Token should have resourceType');
$this->assertArrayHasKey('resourceId', $token, 'Token should have resourceId');
$this->assertEquals('files', $token['resourceType'], 'Token resourceType should be files');
$this->assertEquals($data['bucketId'] . ':' . $data['fileId'], $token['resourceId'], 'Token resourceId should match bucketId:fileId format');
// Verify the JWT token is valid and contains correct information
try {
$payload = $jwt->decode($token['secret']);
$this->assertIsArray($payload, 'JWT payload should decode to an array');
$this->assertArrayHasKey('tokenId', $payload, 'JWT payload should contain tokenId');
$this->assertArrayHasKey('resourceId', $payload, 'JWT payload should contain resourceId');
$this->assertArrayHasKey('resourceType', $payload, 'JWT payload should contain resourceType');
$this->assertArrayHasKey('resourceInternalId', $payload, 'JWT payload should contain resourceInternalId');
$this->assertEquals($token['$id'], $payload['tokenId'], 'JWT tokenId should match token ID');
$this->assertEquals($data['bucketId'] . ':' . $data['fileId'], $payload['resourceId'], 'JWT resourceId should match bucketId:fileId format');
$this->assertEquals('files', $payload['resourceType'], 'JWT resourceType should be files');
} catch (JWTException $e) {
$this->fail('Failed to decode JWT for token ' . $token['$id'] . ': ' . $e->getMessage());
}
}
return $data;
}