Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add refresh token implementation #1367

Open
wants to merge 22 commits into
base: master
Choose a base branch
from
Open

Add refresh token implementation #1367

wants to merge 22 commits into from

Conversation

Ae-Mc
Copy link
Contributor

@Ae-Mc Ae-Mc commented Mar 9, 2024
edited

Add refresh token strategy, bearer token structure, database base class.
Need help with JWT and redis strategies.
Need help with cookie transport.
Need help with test writing (I will wrote it later, but tests must be reviewed by somebody more professional).
Need help with docs.

It can solve discussion #350.
In difference with pull request #1075 by @jtv8 this pull request doesn't change so much. Mostly it adds new classes, without changing old.

Ae-Mc and others added 21 commits March 9, 2024 05:13
@Ae-Mc
feat: add abstract base classes for refresh token usage
fbbe394
@Ae-Mc
feat: add refresh bearer
e86aede
@Ae-Mc
feat: add database refresh strategy
42d1357
@Ae-Mc
fix: fix BearerTransportRefresh get_login_response method
c3dab8f
@Ae-Mc
fix: fix some lint problems
0f8b98b
@Ae-Mc
refactor: rework class hierarchy so no lint errors occured
42362d8
@Ae-Mc
fix: fix access_token argument type in BaseAccessTokenDatabase
8109750
@Ae-Mc
fix(transport/bearer): abstract method get_openapi_logout_responses_s…
af43d4d 
…uccess was not implemented
@Ae-Mc
fix: fix access_token field name in create dict for refresh token
503e538
@Ae-Mc
fix(router): fix refresh route doesn't return anything
3983ff8
@MatthewScholefield @Ae-Mc
Fix utcnow deprecation warning (fastapi-users#1369)
866f33e
@allcontributors @Ae-Mc
docs: add MatthewScholefield as a contributor for code (fastapi-users…
b07e857 
…#1370)

* docs: update README.md [skip ci]

* docs: update .all-contributorsrc [skip ci]

---------

Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com>
@frankie567 @Ae-Mc
Upgrade and apply Ruff linting
9a748c7
@frankie567 @Ae-Mc
Replace passlib in favor of pwdlib
657b568
@frankie567 @Ae-Mc
Enable 3.12 support
06de5a5
@frankie567 @Ae-Mc
Upgrade pytest-asyncio usage
5ae64b4
@frankie567 @Ae-Mc
Bump python-multipart
a51232e
@frankie567 @Ae-Mc
Bump version 12.1.3 → 13.0.0
e48af6d 
Breaking change
---------------

The underlying password hashing library has been changed from `passlib` to `pwdlib`. This change is breaking only if you were using a custom `CryptContext`. Otherwise, you can upgrade without any changes.

Improvements
------------

* Python 3.12 support
* Password are now hashed using the Argon2 algorithm by default. Passwords created with the previous default algorithm (bcrypt) will still be verified correctly and upgraded to Argon2 when the user logs in.
* Bump dependencies
  * `python-multipart ==0.0.9`
@Ae-Mc
feat: add abstract base classes for refresh token usage
64b1b4b
@Ae-Mc
fix: fix union usage
4de46ba
@Ae-Mc
fix: export BearerTrasportRefresh and StrategyRefresh from authentica…
0299fc4 
…tion module
@hasB4K
Copy link

hasB4K commented Mar 22, 2024

I would love to see this PR merged into fastapi-users. The refresh token is something that is often necessary when a project start to scale. @frankie567 what do you think? :)

@Chiggy-Playz
Copy link

@Ae-Mc is this PR in a usable state right now? I'd like to clone it locally and try it out in my project

@Ae-Mc
Copy link
Contributor Author

Ae-Mc commented Mar 27, 2024

@Chiggy-Playz I'm using it right now on one of my projects

@Chiggy-Playz
Copy link

I see. If the repository is public can you link me where its used? I'd like to get an idea of how to set things up properly 😅

@Ae-Mc
Copy link
Contributor Author

Ae-Mc commented Mar 27, 2024
edited

Commit where I migrate from handmade version to library version: Ae-Mc/climbing-app-backend@f2516e7

Look at files
climbing/api/api_v1/endpoints/auth.py
climbing/core/security.py
climbing/db/models/user.py
climbing/db/session.py
pyproject.toml

@Chiggy-Playz
Copy link

@Ae-Mc thanks for the links! I think i've managed to implement it properly in my project as well (hopefully), however I did find a bug. The DatabaseRefreshStrategy has a parameter refresh_lifetime_seconds but that is not used anywhere. So I added the following code

    def _refresh_get_max_age(self) -> Optional[datetime]:
        max_age = None
        if self.refresh_lifetime_seconds:
            max_age = datetime.now(timezone.utc) - timedelta(
                seconds=self.refresh_lifetime_seconds
            )
        return max_age

inside the DatabaseRefreshStrategy class and then inside the read_token_by_refresh I use _refresh_get_max_age instead of _get_max_age. I've opened a PR on your repository and I'd be glad if you could merge it 😁

@abdullah-alnahas
Copy link

Hello,

I was wondering if you have any estimated timelines for when the merge will be completed and the release will take place.

@hasB4K
Copy link

hasB4K commented Apr 18, 2024

@abdullah-alnahas It really depends if @frankie567 wants this feature or not. Since he didn't answer yet, it's not even sure that this PR will even be accepted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@Ae-Mc @hasB4K @Chiggy-Playz @abdullah-alnahas @MatthewScholefield @frankie567