Implement refresh-tokens. (resolves #50)

Signed-off-by: Jason Volk <jason@zemos.net>
2025-07-31 08:19:57 +00:00
parent 0d7eeb7766
commit 1664a2c225
13 changed files with 364 additions and 128 deletions
--- a/src/api/client/device.rs
+++ b/src/api/client/device.rs
@@ -100,7 +100,8 @@ pub(crate) async fn update_device_route(
 				.create_device(
 					sender_user,
 					&device_id,
-					&appservice.registration.as_token,
+					(&appservice.registration.as_token, None),
+					None,
 					None,
 					Some(client.to_string()),
 				)
--- a/src/api/client/mod.rs
+++ b/src/api/client/mod.rs
@@ -89,7 +89,7 @@ pub(super) use well_known::*;
 const DEVICE_ID_LENGTH: usize = 10;

 /// generated user access token length
-const TOKEN_LENGTH: usize = 32;
+const TOKEN_LENGTH: usize = tuwunel_service::users::device::TOKEN_LENGTH;

 /// generated user session ID length
 const SESSION_ID_LENGTH: usize = tuwunel_service::uiaa::SESSION_ID_LENGTH;
--- a/src/api/client/register.rs
+++ b/src/api/client/register.rs
@@ -17,8 +17,9 @@ use ruma::{
 	push,
 };
 use tuwunel_core::{Err, Error, Result, debug_info, error, info, is_equal_to, utils, warn};
+use tuwunel_service::users::device::generate_refresh_token;

-use super::{DEVICE_ID_LENGTH, SESSION_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
+use super::{DEVICE_ID_LENGTH, SESSION_ID_LENGTH, join_room_by_id_helper};
 use crate::Ruma;

 const RANDOM_USER_ID_LENGTH: usize = 10;
@@ -432,7 +433,12 @@ pub(crate) async fn register_route(
 		.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());

 	// Generate new token for the device
-	let token = utils::random_string(TOKEN_LENGTH);
+	let (access_token, expires_in) = services
+		.users
+		.generate_access_token(body.body.refresh_token);
+
+	// Generate a new refresh_token if requested by client
+	let refresh_token = expires_in.is_some().then(generate_refresh_token);

 	// Create device for this account
 	services
@@ -440,7 +446,8 @@ pub(crate) async fn register_route(
 		.create_device(
 			&user_id,
 			&device_id,
-			&token,
+			(&access_token, expires_in),
+			refresh_token.as_deref(),
 			body.initial_device_display_name.clone(),
 			Some(client.to_string()),
 		)
@@ -574,11 +581,11 @@ pub(crate) async fn register_route(
 	}

 	Ok(register::v3::Response {
-		access_token: Some(token),
 		user_id,
 		device_id: Some(device_id),
-		refresh_token: None,
-		expires_in: None,
+		access_token: Some(access_token),
+		refresh_token,
+		expires_in,
 	})
 }

--- a/src/api/client/session/mod.rs
+++ b/src/api/client/session/mod.rs
@@ -3,6 +3,7 @@ mod jwt;
 mod ldap;
 mod logout;
 mod password;
+mod refresh;
 mod token;

 use axum::extract::State;
@@ -21,10 +22,12 @@ use ruma::api::client::session::{
 	},
 };
 use tuwunel_core::{Err, Result, info, utils, utils::stream::ReadyExt};
+use tuwunel_service::users::device::generate_refresh_token;

 use self::{ldap::ldap_login, password::password_login};
 pub(crate) use self::{
 	logout::{logout_all_route, logout_route},
+	refresh::refresh_token_route,
 	token::login_token_route,
 };
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
@@ -87,7 +90,12 @@ pub(crate) async fn login_route(
 	};

 	// Generate a new token for the device
-	let access_token = utils::random_string(TOKEN_LENGTH);
+	let (access_token, expires_in) = services
+		.users
+		.generate_access_token(body.body.refresh_token);
+
+	// Generate a new refresh_token if requested by client
+	let refresh_token = expires_in.is_some().then(generate_refresh_token);

 	// Generate new device id if the user didn't specify one
 	let device_id = body
@@ -108,7 +116,8 @@ pub(crate) async fn login_route(
 			.create_device(
 				&user_id,
 				&device_id,
-				&access_token,
+				(&access_token, expires_in),
+				refresh_token.as_deref(),
 				body.initial_device_display_name.clone(),
 				Some(client.to_string()),
 			)
@@ -116,7 +125,13 @@ pub(crate) async fn login_route(
 	} else {
 		services
 			.users
-			.set_access_token(&user_id, &device_id, &access_token)
+			.set_access_token(
+				&user_id,
+				&device_id,
+				&access_token,
+				expires_in,
+				refresh_token.as_deref(),
+			)
 			.await?;
 	}

@@ -141,7 +156,7 @@ pub(crate) async fn login_route(
 		device_id,
 		home_server,
 		well_known,
-		expires_in: None,
-		refresh_token: None,
+		expires_in,
+		refresh_token,
 	})
 }
--- a/src/api/client/session/refresh.rs
+++ b/src/api/client/session/refresh.rs
@@ -0,0 +1,54 @@
+use axum::extract::State;
+use axum_client_ip::InsecureClientIp;
+use ruma::api::client::session::refresh_token::v3::{Request, Response};
+use tuwunel_core::{Err, Result, debug_info, err};
+use tuwunel_service::users::device::generate_refresh_token;
+
+use crate::Ruma;
+
+/// # `POST /_matrix/client/v3/refresh`
+///
+/// Refresh an access token.
+///
+/// <https://spec.matrix.org/v1.15/client-server-api/#post_matrixclientv3refresh>
+#[tracing::instrument(skip_all, fields(%client), name = "refresh_token")]
+pub(crate) async fn refresh_token_route(
+	State(services): State<crate::State>,
+	InsecureClientIp(client): InsecureClientIp,
+	body: Ruma<Request>,
+) -> Result<Response> {
+	let refresh_token_claim = body.body.refresh_token;
+
+	if !refresh_token_claim.starts_with("refresh_") {
+		return Err!(Request(Forbidden("Refresh token is malformed.")));
+	}
+
+	let (user_id, device_id, ..) = services
+		.users
+		.find_from_token(&refresh_token_claim)
+		.await
+		.map_err(|e| err!(Request(Forbidden("Refresh token is unrecognized: {e}"))))?;
+
+	// New tokens
+	let refresh_token = Some(generate_refresh_token());
+	let (access_token, expires_in_ms) = services.users.generate_access_token(true);
+
+	services
+		.users
+		.set_access_token(
+			&user_id,
+			&device_id,
+			&access_token,
+			expires_in_ms,
+			refresh_token.as_deref(),
+		)
+		.await?;
+
+	debug_info!(?user_id, ?device_id, ?expires_in_ms, "refreshed their access_token",);
+
+	Ok(Response {
+		access_token,
+		refresh_token,
+		expires_in_ms,
+	})
+}
--- a/src/api/router.rs
+++ b/src/api/router.rs
@@ -35,6 +35,7 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 		.ruma_route(&client::get_login_types_route)
 		.ruma_route(&client::login_route)
 		.ruma_route(&client::login_token_route)
+		.ruma_route(&client::refresh_token_route)
 		.ruma_route(&client::whoami_route)
 		.ruma_route(&client::logout_route)
 		.ruma_route(&client::logout_all_route)
--- a/src/api/router/auth.rs
+++ b/src/api/router/auth.rs
@@ -29,7 +29,9 @@ use ruma::{
 		federation::{authentication::XMatrix, openid::get_openid_userinfo},
 	},
 };
-use tuwunel_core::{Err, Error, Result, debug_error, err, warn};
+use tuwunel_core::{
+	Err, Error, Result, debug_error, err, is_less_than, utils::result::LogDebugErr, warn,
+};
 use tuwunel_service::{
 	Services,
 	appservice::RegistrationInfo,
@@ -40,7 +42,8 @@ use super::request::Request;

 enum Token {
 	Appservice(Box<RegistrationInfo>),
-	User((OwnedUserId, OwnedDeviceId)),
+	User((OwnedUserId, OwnedDeviceId, Option<SystemTime>)),
+	Expired((OwnedUserId, OwnedDeviceId)),
 	Invalid,
 	None,
 }
@@ -51,6 +54,7 @@ pub(super) struct Auth {
 	pub(super) sender_user: Option<OwnedUserId>,
 	pub(super) sender_device: Option<OwnedDeviceId>,
 	pub(super) appservice_info: Option<RegistrationInfo>,
+	pub(super) _expires_at: Option<SystemTime>,
 }

 #[tracing::instrument(
@@ -65,6 +69,11 @@ pub(super) async fn auth(
 	json_body: Option<&CanonicalJsonValue>,
 	metadata: &Metadata,
 ) -> Result<Auth> {
+	use AuthScheme::{AccessToken, AccessTokenOptional, AppserviceToken, ServerSignatures};
+	use Error::BadRequest;
+	use ErrorKind::UnknownToken;
+	use Token::{Appservice, Expired, Invalid, User};
+
 	let bearer: Option<TypedHeader<Authorization<Bearer>>> =
 		request.parts.extract().await.unwrap_or(None);

@@ -73,70 +82,76 @@ pub(super) async fn auth(
 		| None => request.query.access_token.as_deref(),
 	};

-	let token = find_token(services, token).await?;
+	let token = match find_token(services, token).await? {
+		| User((user_id, device_id, expires_at))
+			if expires_at.is_some_and(is_less_than!(SystemTime::now())) =>
+			Expired((user_id, device_id)),
+
+		| token => token,
+	};

 	if metadata.authentication == AuthScheme::None {
 		check_auth_still_required(services, metadata, &token)?;
 	}

 	match (metadata.authentication, token) {
-		| (AuthScheme::AccessToken, Token::Appservice(info)) =>
-			Ok(auth_appservice(services, request, info).await?),
-		| (
-			AuthScheme::None | AuthScheme::AccessTokenOptional | AuthScheme::AppserviceToken,
-			Token::Appservice(info),
-		) => Ok(Auth {
-			appservice_info: Some(*info),
+		| (AccessToken, Appservice(info)) => Ok(auth_appservice(services, request, info).await?),
+
+		| (AccessToken | AccessTokenOptional | AuthScheme::None, User(user)) => Ok(Auth {
+			sender_user: Some(user.0),
+			sender_device: Some(user.1),
+			_expires_at: user.2,
 			..Auth::default()
 		}),
-		| (AuthScheme::AccessToken, Token::None) => match metadata {
-			| &get_turn_server_info::v3::Request::METADATA => {
-				if services.server.config.turn_allow_guests {
-					Ok(Auth::default())
-				} else {
-					Err!(Request(MissingToken("Missing access token.")))
-				}
-			},
+
+		| (AccessToken, Token::None) => match metadata {
+			| &get_turn_server_info::v3::Request::METADATA
+				if services.server.config.turn_allow_guests =>
+				Ok(Auth::default()),
+
 			| _ => Err!(Request(MissingToken("Missing access token."))),
 		},
-		| (
-			AuthScheme::AccessToken | AuthScheme::AccessTokenOptional | AuthScheme::None,
-			Token::User((user_id, device_id)),
-		) => Ok(Auth {
-			sender_user: Some(user_id),
-			sender_device: Some(device_id),
-			..Auth::default()
-		}),
-		| (AuthScheme::ServerSignatures, Token::None) =>
-			Ok(auth_server(services, request, json_body).await?),
-		| (
-			AuthScheme::None | AuthScheme::AppserviceToken | AuthScheme::AccessTokenOptional,
-			Token::None,
-		) => Ok(Auth::default()),
-		| (AuthScheme::ServerSignatures, Token::Appservice(_) | Token::User(_)) =>
-			Err!(Request(Unauthorized("Only server signatures should be used on this endpoint."))),
-		| (AuthScheme::AppserviceToken, Token::User(_)) => Err!(Request(Unauthorized(
-			"Only appservice access tokens should be used on this endpoint."
-		))),
-		| (AuthScheme::None, Token::Invalid) => {
+
+		| (AppserviceToken, User(_)) =>
+			Err!(Request(Unauthorized("Appservice tokens must be used on this endpoint."))),
+
+		| (ServerSignatures, Appservice(_) | User(_)) =>
+			Err!(Request(Unauthorized("Server signatures must be used on this endpoint."))),
+
+		| (ServerSignatures, Token::None) => Ok(auth_server(services, request, json_body).await?),
+
+		| (AuthScheme::None | AccessTokenOptional | AppserviceToken, Appservice(info)) =>
+			Ok(Auth {
+				appservice_info: Some(*info),
+				..Auth::default()
+			}),
+
+		| (AuthScheme::None | AccessTokenOptional | AppserviceToken, Token::None) =>
+			Ok(Auth::default()),
+
+		| (AuthScheme::None, Invalid)
+			if request.query.access_token.is_some()
+				&& metadata == &get_openid_userinfo::v1::Request::METADATA =>
+		{
 			// OpenID federation endpoint uses a query param with the same name, drop this
 			// once query params for user auth are removed from the spec. This is
 			// required to make integration manager work.
-			if request.query.access_token.is_some()
-				&& metadata == &get_openid_userinfo::v1::Request::METADATA
-			{
-				Ok(Auth::default())
-			} else {
-				Err(Error::BadRequest(
-					ErrorKind::UnknownToken { soft_logout: false },
-					"Unknown access token.",
-				))
-			}
+			Ok(Auth::default())
 		},
-		| (_, Token::Invalid) => Err(Error::BadRequest(
-			ErrorKind::UnknownToken { soft_logout: false },
-			"Unknown access token.",
-		)),
+
+		| (_, Expired((user_id, device_id))) => {
+			services
+				.users
+				.remove_access_token(&user_id, &device_id)
+				.await
+				.log_debug_err()
+				.ok();
+
+			Err(BadRequest(UnknownToken { soft_logout: true }, "Expired access token."))
+		},
+
+		| (_, Invalid) =>
+			Err(BadRequest(UnknownToken { soft_logout: false }, "Unknown access token.")),
 	}
 }

@@ -159,7 +174,7 @@ fn check_auth_still_required(services: &Services, metadata: &Metadata, token: &T
 				.require_auth_for_profile_requests =>
 			match token {
 				| Token::Appservice(_) | Token::User(_) => Ok(()),
-				| Token::None | Token::Invalid =>
+				| Token::None | Token::Expired(_) | Token::Invalid =>
 					Err!(Request(MissingToken("Missing or invalid access token."))),
 			},
 		| &get_public_rooms::v3::Request::METADATA
@@ -169,7 +184,7 @@ fn check_auth_still_required(services: &Services, metadata: &Metadata, token: &T
 				.allow_public_room_directory_without_auth =>
 			match token {
 				| Token::Appservice(_) | Token::User(_) => Ok(()),
-				| Token::None | Token::Invalid =>
+				| Token::None | Token::Expired(_) | Token::Invalid =>
 					Err!(Request(MissingToken("Missing or invalid access token."))),
 			},
 		| _ => Ok(()),
@@ -183,7 +198,7 @@ async fn find_token(services: &Services, token: Option<&str>) -> Result<Token> {

 	let user_token = services
 		.users
-		.find_from_access_token(token)
+		.find_from_token(token)
 		.map_ok(Token::User);

 	let appservice_token = services
@@ -226,10 +241,9 @@ async fn auth_appservice(
 	}

 	Ok(Auth {
-		origin: None,
 		sender_user: Some(user_id),
-		sender_device: None,
 		appservice_info: Some(*info),
+		..Auth::default()
 	})
 }

@@ -304,9 +318,7 @@ async fn auth_server(

 	Ok(Auth {
 		origin: origin.to_owned().into(),
-		sender_user: None,
-		sender_device: None,
-		appservice_info: None,
+		..Auth::default()
 	})
 }