Add model for JWT refresh token

stveit · stveit · commit 4805ebfb7e8e · 2025-02-21T12:43:00.000+01:00
diff --git a/changelog.d/3268.added.md b/changelog.d/3268.added.md
@@ -0,0 +1 @@
+Add database model for JWT refresh tokens
diff --git a/python/nav/models/api.py b/python/nav/models/api.py
@@ -23,6 +23,7 @@
 
 from nav.models.fields import VarcharField
 from nav.models.profiles import Account
+from nav.web.jwtgen import is_active
 
 
 class APIToken(models.Model):
@@ -66,3 +67,27 @@ def get_absolute_url(self):
 
     class Meta(object):
         db_table = 'apitoken'
+
+
+class JWTRefreshToken(models.Model):
+
+    name = VarcharField(unique=True)
+    description = models.TextField(null=True, blank=True)
+    expires = models.DateTimeField()
+    activates = models.DateTimeField()
+    last_used = models.DateTimeField(null=True)
+    revoked = models.BooleanField(default=False)
+    hash = VarcharField()
+
+    def __str__(self):
+        return self.name
+
+    def is_active(self) -> bool:
+        """Returns True if the token is active. A token is considered active when
+        `expires` is in the future and `activates` is in the past or matches
+        the current time.
+        """
+        return is_active(self.expires.timestamp(), self.activates.timestamp())
+
+    class Meta(object):
+        db_table = 'jwtrefreshtoken'
diff --git a/python/nav/models/sql/changes/sc.05.13.0001.sql b/python/nav/models/sql/changes/sc.05.13.0001.sql
@@ -0,0 +1,10 @@
+CREATE TABLE manage.JWTRefreshToken (
+    id SERIAL PRIMARY KEY,
+    name VARCHAR NOT NULL UNIQUE,
+    description VARCHAR,
+    expires TIMESTAMP NOT NULL,
+    activates TIMESTAMP NOT NULL,
+    last_used TIMESTAMP,
+    revoked BOOLEAN NOT NULL DEFAULT FALSE,
+    hash VARCHAR NOT NULL
+);
diff --git a/python/nav/web/jwtgen.py b/python/nav/web/jwtgen.py
@@ -49,3 +49,18 @@ def _generate_token(
         new_token, JWTConf().get_nav_private_key(), algorithm="RS256"
     )
     return encoded_token
+
+
+def is_active(exp: float, nbf: float) -> bool:
+    """
+    Takes `exp` and `nbf` as POSIX timestamps. These represent the claims of a JWT token.
+    `exp` should be the expiration time of the token and `nbf` should be the time when
+    the token becomes active.
+
+    Returns True if `exp` is in the future and `nbf` is in the past or matches
+    the current time.
+    """
+    now = datetime.now(timezone.utc)
+    expires = datetime.fromtimestamp(exp, tz=timezone.utc)
+    activates = datetime.fromtimestamp(nbf, tz=timezone.utc)
+    return now >= activates and now < expires
diff --git a/tests/unittests/models/jwtrefreshtoken_test.py b/tests/unittests/models/jwtrefreshtoken_test.py
@@ -0,0 +1,58 @@
+from datetime import datetime, timedelta
+
+from nav.models.api import JWTRefreshToken
+
+
+class TestIsActive:
+    def test_should_return_false_if_token_activates_in_the_future(self):
+        now = datetime.now()
+        token = JWTRefreshToken(
+            name="testtoken",
+            hash="dummyhash",
+            expires=now + timedelta(hours=1),
+            activates=now + timedelta(hours=1),
+        )
+        assert not token.is_active()
+
+    def test_should_return_false_if_token_expires_in_the_past(self):
+        now = datetime.now()
+        token = JWTRefreshToken(
+            name="testtoken",
+            hash="dummyhash",
+            expires=now - timedelta(hours=1),
+            activates=now - timedelta(hours=1),
+        )
+        assert not token.is_active()
+
+    def test_should_return_true_if_token_activates_in_the_past_and_expires_in_the_future(
+        self,
+    ):
+        now = datetime.now()
+        token = JWTRefreshToken(
+            name="testtoken",
+            hash="dummyhash",
+            expires=now + timedelta(hours=1),
+            activates=now - timedelta(hours=1),
+        )
+        assert token.is_active()
+
+    def test_should_return_true_if_token_activates_now_and_expires_in_the_future(self):
+        now = datetime.now()
+        token = JWTRefreshToken(
+            name="testtoken",
+            hash="dummyhash",
+            expires=now + timedelta(hours=1),
+            activates=now,
+        )
+        assert token.is_active()
+
+
+def test_string_representation_should_match_name():
+    now = datetime.now()
+    token = JWTRefreshToken(
+        name="testtoken",
+        hash="dummyhash",
+        expires=now + timedelta(hours=1),
+        activates=now - timedelta(hours=1),
+    )
+    assert str(token) == token.name

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Add database model for JWT refresh tokens`