Merge branch 'bugfix/user-tz-login' into 'dev'

Use UTC for tokens_valid_from in user config See merge request crafty-controller/crafty-4!765
2024-08-30 18:23:09 +00:00 · 2024-07-09 01:00:46 +00:00 · 2024-07-09 01:00:46 +00:00 · 1c7ffcdda7
commit 1c7ffcdda7
parent 4346f58ff3 ba2d3c92a6
6 changed files with 23 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -11,6 +11,7 @@ TBD
 - Fix user creation bug where it would fail when a role was selected ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/763))
 - Security improvements for general user creations on roles page ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/763))
 - Security improvements for general user creations on user page ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/763))
+- Use UTC for tokens_valid_from in user config, to resolve token invalidation on instance TZ change ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/765))
 ### Tweaks
 - Add info note to default creds file ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/760))
 - Remove navigation label from sidebar ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/766))
--- a/app/classes/models/users.py
+++ b/app/classes/models/users.py
@ -38,7 +38,7 @@ class Users(BaseModel):
    superuser = BooleanField(default=False)
    lang = CharField(default="en_EN")
    support_logs = CharField(default="")
-    valid_tokens_from = DateTimeField(default=datetime.datetime.now)
+    valid_tokens_from = DateTimeField(default=Helpers.get_utc_now)
    server_order = CharField(default="")
    preparing = BooleanField(default=False)
    hints = BooleanField(default=True)
@ -119,7 +119,6 @@ class HelperUsers:
    @staticmethod
    def get_user_total():
        count = Users.select().where(Users.username != "system").count()
-        print(count)
        return count

    @staticmethod
--- a/app/classes/shared/authentication.py
+++ b/app/classes/shared/authentication.py
@ -1,5 +1,6 @@
 import logging
 import time
+from datetime import datetime
 from typing import Optional, Dict, Any, Tuple
 import jwt
 from jwt import PyJWTError
@ -62,7 +63,17 @@ class Authentication:
        user = HelperUsers.get_user(user_id)
        # TODO: Have a cache or something so we don't constantly
        # have to query the database
-        if int(user.get("valid_tokens_from").timestamp()) < iat:
+        valid_tokens_from_str = user.get("valid_tokens_from")
+        # It's possible this will be a string or a dt coming from the DB
+        # We need to account for that
+        try:
+            valid_tokens_from_dt = datetime.strptime(
+                valid_tokens_from_str, "%Y-%m-%d %H:%M:%S.%f%z"
+            )
+        except TypeError:
+            valid_tokens_from_dt = valid_tokens_from_str
+        # Convert the string to a datetime object
+        if int(valid_tokens_from_dt.timestamp()) < iat:
            # Success!
            return key, data, user
        return None
--- a/app/classes/shared/helpers.py
+++ b/app/classes/shared/helpers.py
@ -19,7 +19,7 @@ import shutil
 import shlex
 import subprocess
 import itertools
-from datetime import datetime
+from datetime import datetime, timezone
 from socket import gethostname
 from contextlib import redirect_stderr, suppress
 import libgravatar
@ -640,6 +640,10 @@ class Helpers:
        version = f"{major}.{minor}.{sub}"
        return str(version)

+    @staticmethod
+    def get_utc_now() -> datetime:
+        return datetime.fromtimestamp(time.time(), tz=timezone.utc)
+
    def encode_pass(self, password):
        return self.passhasher.hash(password)

--- a/app/classes/web/routes/api/auth/invalidate_tokens.py
+++ b/app/classes/web/routes/api/auth/invalidate_tokens.py
@ -1,6 +1,6 @@
-import datetime
 import logging
 from app.classes.web.base_api_handler import BaseApiHandler
+from app.classes.shared.helpers import Helpers

 logger = logging.getLogger(__name__)

@ -13,7 +13,7 @@ class ApiAuthInvalidateTokensHandler(BaseApiHandler):

        logger.debug(f"Invalidate tokens for user {auth_data[4]['user_id']}")
        self.controller.users.raw_update_user(
-            auth_data[4]["user_id"], {"valid_tokens_from": datetime.datetime.now()}
+            auth_data[4]["user_id"], {"valid_tokens_from": Helpers.get_utc_now()}
        )

        self.finish_json(200, {"status": "ok"})
--- a/app/migrations/20211120221511_api_keys.py
+++ b/app/migrations/20211120221511_api_keys.py
@ -1,10 +1,11 @@
 import peewee
 import datetime
+from app.classes.shared.helpers import Helpers


 def migrate(migrator, database, **kwargs):
    migrator.add_columns(
-        "users", valid_tokens_from=peewee.DateTimeField(default=datetime.datetime.now)
+        "users", valid_tokens_from=peewee.DateTimeField(default=Helpers.get_utc_now)
    )
    migrator.drop_columns("users", ["api_token"])