Add ws endpoint to remove expiration date from refresh tokens

[edenhaus]

Breaking change

Proposed change

Add websocket endpoint auth/remove_expiry_date_refresh_token to remove the expiry date of a refresh token.
By removing the expiration date, the refresh token will never expire and will always be valid.

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request:

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Ruff (ruff format homeassistant tests)
• Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.
• Untested files have been added to .coveragerc.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[home-assistant]

Hey there @home-assistant/core, mind taking a look at this pull request as it has been labeled with an integration (auth) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of auth can trigger bot actions by commenting:

• @home-assistant close Closes the pull request.
• @home-assistant rename Awesome new title Renames the pull request.
• @home-assistant reopen Reopen the pull request.
• @home-assistant unassign auth Removes the current integration label and assignees on the pull request, add the integration domain after the command.
• @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the pull request.
• @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the pull request.

[edenhaus]

@CodiumAI-Agent /review

[CodiumAI-Agent]

PR Review 🔍

⏱️ Estimated effort to review [1-5]	3, because the PR involves changes across multiple files and introduces a new feature that affects security and functionality. The changes are moderate in size but critical in nature, requiring careful review of security implications and correctness.
🧪 Relevant tests	No
⚡ Possible issues	Possible Security Issue: The feature to remove the expiry date from refresh tokens can potentially lead to tokens that never expire, increasing the risk of token misuse if they are leaked or stolen.
🔒 Security concerns	Yes, the introduction of non-expiring refresh tokens can lead to increased security risks, as it allows tokens to remain valid indefinitely. This could be problematic if tokens are compromised.

Code feedback:

---

relevant file	homeassistant/auth/auth_store.py
suggestion	Consider implementing a logging mechanism when the expiry date of a refresh token is removed. This can help in auditing and tracking changes to sensitive token information. [important]
relevant line	self._async_schedule_save()

---

relevant file	homeassistant/components/auth/__init__.py
suggestion	Add error handling for cases where the refresh_token_id does not exist or is invalid in the websocket_remove_expiry_date_refresh_token function. This will improve the robustness of the endpoint. [important]
relevant line	connection.send_error(msg["id"], "invalid_token_id", "Received invalid token")

---

relevant file	homeassistant/auth/__init__.py
suggestion	It might be beneficial to add a confirmation mechanism before removing the expiry date from a refresh token, to ensure that this critical operation is intentional and authorized. [important]
relevant line	self._store.async_remove_expiry_date(refresh_token)

---

relevant file	homeassistant/auth/auth_store.py
suggestion	Implement a mechanism to optionally restore the expiry date for tokens where it was previously removed, enhancing flexibility in token management. [medium]
relevant line	refresh_token.expire_at = None

---

[edenhaus]

@coderabbitai review

[coderabbitai]

Actions Performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Walkthrough

The recent updates introduce functionality to edit the expiry date of refresh tokens within Home Assistant. This includes adding methods to the auth module and auth_store for modifying token expiry dates, integrating a new WebSocket command for user interactions, and updating tests to ensure the new functionality works correctly.

Changes

File(s)	Change Summary
homeassistant/auth/__init__.py	Added async_edit_expiry_date method to edit the expiry date of a refresh token.
homeassistant/auth/auth_store.py	Introduced async_edit_expiry_date method to handle token expiry date modifications.
homeassistant/components/auth/__init__.py	Added WebSocket command websocket_edit_expiry_date_refresh_token for editing token expiry dates.
tests/auth/test_auth_store.py	Updated tests: modified test_dont_change_expire_at_on_load and added test_edit_expiry_date.
tests/components/auth/test_init.py	Added async tests: test_ws_edit_expiry_date_refresh_token and test_ws_remove_expiry_date_refresh_token_error.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to full the review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

Outside diff range and nitpick comments (1)

homeassistant/components/auth/__init__.py (1)

199-199: Ensure proper documentation for the new WebSocket command websocket_edit_expiry_date_refresh_token.

Adding a brief comment explaining the purpose and usage of this new WebSocket command would enhance code maintainability and readability.

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

[emontnemery]

LGTM, thanks @edenhaus 👍