diff --git a/src/Appwrite/Utopia/Response/Model/ResourceToken.php b/src/Appwrite/Utopia/Response/Model/ResourceToken.php index ef186c3d0b..87ab66ab5d 100644 --- a/src/Appwrite/Utopia/Response/Model/ResourceToken.php +++ b/src/Appwrite/Utopia/Response/Model/ResourceToken.php @@ -61,24 +61,28 @@ class ResourceToken extends Model public function filter(Document $document): Document { - $maxAge = PHP_INT_MAX; $expire = $document->getAttribute('expire'); - if ($expire !== null) { - $now = new \DateTime(); - $expiryDate = new \DateTime($expire); + // Use a large but reasonable maxAge to avoid auto-exp when we set explicit exp + $jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 86400 * 365 * 10, 10); // 10 years - // set 1 min if expired, we check for expiry later on route hooks for validation! - $maxAge = min(60, $expiryDate->getTimestamp() - $now->getTimestamp()); - } - - $jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', $maxAge, 10); - $secret = $jwt->encode([ + $payload = [ 'tokenId' => $document->getId(), 'resourceId' => $document->getAttribute('resourceId'), 'resourceType' => $document->getAttribute('resourceType'), 'resourceInternalId' => $document->getAttribute('resourceInternalId'), - ]); + ]; + + // Set explicit expiration in JWT payload if we have an expiry date + if ($expire !== null) { + $expiryDate = new \DateTime($expire); + $payload['exp'] = $expiryDate->getTimestamp(); + } else { + // For infinite expiry, set 'iat' to prevent JWT library from auto-adding 'exp' + $payload['iat'] = time(); + } + + $secret = $jwt->encode($payload); $document->setAttribute('secret', $secret); diff --git a/tests/e2e/Services/Tokens/TokensConsoleClientTest.php b/tests/e2e/Services/Tokens/TokensConsoleClientTest.php index 4a7aab474a..c0f94a55bf 100644 --- a/tests/e2e/Services/Tokens/TokensConsoleClientTest.php +++ b/tests/e2e/Services/Tokens/TokensConsoleClientTest.php @@ -2,6 +2,8 @@ namespace Tests\E2E\Services\Tokens; +use Ahc\Jwt\JWT; +use Ahc\Jwt\JWTException; use CURLFile; use Tests\E2E\Client; use Tests\E2E\Scopes\ProjectCustom; @@ -12,6 +14,7 @@ use Utopia\Database\Helpers\ID; use Utopia\Database\Helpers\Permission; use Utopia\Database\Helpers\Role; use Utopia\Database\Validator\Datetime as DatetimeValidator; +use Utopia\System\System; class TokensConsoleClientTest extends Scope { @@ -67,6 +70,28 @@ class TokensConsoleClientTest extends Scope $this->assertEquals(201, $token['headers']['status-code']); $this->assertEquals('files', $token['body']['resourceType']); + $this->assertNotEmpty($token['body']['$id']); + $this->assertNotEmpty($token['body']['secret']); + + // Verify the generated token JWT contains correct resource information + $jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 86400 * 365 * 10, 10); // 10 years maxAge + try { + $payload = $jwt->decode($token['body']['secret']); + $this->assertIsArray($payload, 'JWT payload should decode to an array'); + $this->assertArrayHasKey('tokenId', $payload, 'JWT payload should contain tokenId'); + $this->assertArrayHasKey('resourceId', $payload, 'JWT payload should contain resourceId'); + $this->assertArrayHasKey('resourceType', $payload, 'JWT payload should contain resourceType'); + $this->assertArrayHasKey('resourceInternalId', $payload, 'JWT payload should contain resourceInternalId'); + + $this->assertEquals($token['body']['$id'], $payload['tokenId'], 'JWT tokenId should match token ID'); + $this->assertEquals($bucketId . ':' . $fileId, $payload['resourceId'], 'JWT resourceId should match bucketId:fileId format'); + $this->assertEquals('files', $payload['resourceType'], 'JWT resourceType should be files'); + + // For newly created tokens without expiry, should not have exp field + $this->assertArrayNotHasKey('exp', $payload, 'JWT payload should not contain exp field for tokens without expiry'); + } catch (JWTException $e) { + $this->fail('Failed to decode JWT: ' . $e->getMessage()); + } return [ 'fileId' => $fileId, @@ -94,6 +119,21 @@ class TokensConsoleClientTest extends Scope $dateValidator = new DatetimeValidator(); $this->assertTrue($dateValidator->isValid($token['body']['expire'])); + // Verify JWT contains correct expiration using native JWT decode + $this->assertNotEmpty($token['body']['secret']); + + $jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 86400 * 365 * 10, 10); // 10 years maxAge + try { + $payload = $jwt->decode($token['body']['secret']); + $this->assertIsArray($payload, 'JWT payload should decode to an array'); + $this->assertArrayHasKey('exp', $payload, 'JWT payload should contain exp field'); + + $expectedExp = (new \DateTime($expiry))->getTimestamp(); + $this->assertEquals($expectedExp, $payload['exp'], 'JWT exp should match token expiry'); + } catch (JWTException $e) { + $this->fail('Failed to decode JWT: ' . $e->getMessage()); + } + // Infinite expiry $token = $this->client->call(Client::METHOD_PATCH, '/tokens/' . $tokenId, array_merge([ 'content-type' => 'application/json', @@ -104,6 +144,15 @@ class TokensConsoleClientTest extends Scope $this->assertEmpty($token['body']['expire']); + // Verify JWT does not contain exp for infinite expiry using native JWT decode + try { + $payload = $jwt->decode($token['body']['secret']); + $this->assertIsArray($payload, 'JWT payload should decode to an array'); + $this->assertArrayNotHasKey('exp', $payload, 'JWT payload should not contain exp field for infinite expiry'); + } catch (JWTException $e) { + $this->fail('Failed to decode JWT: ' . $e->getMessage()); + } + return $data; } @@ -123,6 +172,38 @@ class TokensConsoleClientTest extends Scope $this->assertIsArray($res['body']); $this->assertEquals(200, $res['headers']['status-code']); + $this->assertArrayHasKey('tokens', $res['body']); + $this->assertIsArray($res['body']['tokens']); + $this->assertGreaterThan(0, count($res['body']['tokens']), 'Should have at least one token'); + + // Verify each token in the list + $jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 86400 * 365 * 10, 10); // 10 years maxAge + foreach ($res['body']['tokens'] as $token) { + $this->assertArrayHasKey('$id', $token, 'Token should have an ID'); + $this->assertArrayHasKey('secret', $token, 'Token should have a secret'); + $this->assertArrayHasKey('resourceType', $token, 'Token should have resourceType'); + $this->assertArrayHasKey('resourceId', $token, 'Token should have resourceId'); + + $this->assertEquals('files', $token['resourceType'], 'Token resourceType should be files'); + $this->assertEquals($data['bucketId'] . ':' . $data['fileId'], $token['resourceId'], 'Token resourceId should match bucketId:fileId format'); + + // Verify the JWT token is valid and contains correct information + try { + $payload = $jwt->decode($token['secret']); + $this->assertIsArray($payload, 'JWT payload should decode to an array'); + $this->assertArrayHasKey('tokenId', $payload, 'JWT payload should contain tokenId'); + $this->assertArrayHasKey('resourceId', $payload, 'JWT payload should contain resourceId'); + $this->assertArrayHasKey('resourceType', $payload, 'JWT payload should contain resourceType'); + $this->assertArrayHasKey('resourceInternalId', $payload, 'JWT payload should contain resourceInternalId'); + + $this->assertEquals($token['$id'], $payload['tokenId'], 'JWT tokenId should match token ID'); + $this->assertEquals($data['bucketId'] . ':' . $data['fileId'], $payload['resourceId'], 'JWT resourceId should match bucketId:fileId format'); + $this->assertEquals('files', $payload['resourceType'], 'JWT resourceType should be files'); + } catch (JWTException $e) { + $this->fail('Failed to decode JWT for token ' . $token['$id'] . ': ' . $e->getMessage()); + } + } + return $data; }