administrator/frigate
1
0
Fork 0
mirror of https://github.com/blakeblackshear/frigate.git synced 2026-04-11 17:47:37 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

only check if password has changed on jwt refresh

Browse Source
This commit is contained in:
Josh Hawkins 2025-12-08 08:30:12 -06:00
parent e7b35df2f1
commit 2a78ae4bfb
3 changed files with 21 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/docs/configuration/reference.md
View File

@ -123,7 +123,7 @@ auth:
# Optional: Refresh time in seconds (default: shown below) # Optional: Refresh time in seconds (default: shown below)
# When the session is going to expire in less time than this setting, # When the session is going to expire in less time than this setting,
# it will be refreshed back to the session_length. # it will be refreshed back to the session_length.
refresh_time: 43200 # 12 hours refresh_time: 1800 # 30 minutes
# Optional: Rate limiting for login failures to help prevent brute force # Optional: Rate limiting for login failures to help prevent brute force
# login attacks (default: shown below) # login attacks (default: shown below)
# See the docs for more information on valid values # See the docs for more information on valid values

13
frigate/api/auth.py
View File

@ -648,10 +648,14 @@ def auth(request: Request):
logger.debug("jwt token expired") logger.debug("jwt token expired")
return fail_response return fail_response
# Check if password has been changed after token was issued # if the jwt cookie is expiring soon
if jwt_source == "cookie" and expiration - JWT_REFRESH <= current_time:
logger.debug("jwt token expiring soon, refreshing cookie")
# Check if password has been changed since token was issued
# If so, force re-login by rejecting the refresh
try: try:
user_obj = User.get_by_id(user) user_obj = User.get_by_id(user)
# Only invalidate token if password was changed after token was issued
if user_obj.password_changed_at is not None: if user_obj.password_changed_at is not None:
token_iat = int(token.claims.get("iat", 0)) token_iat = int(token.claims.get("iat", 0))
password_changed_timestamp = int( password_changed_timestamp = int(
@ -659,16 +663,13 @@ def auth(request: Request):
) )
if token_iat < password_changed_timestamp: if token_iat < password_changed_timestamp:
logger.debug( logger.debug(
"jwt token issued before password change, invalidating token" "jwt token issued before password change, rejecting refresh"
) )
return fail_response return fail_response
except DoesNotExist: except DoesNotExist:
logger.debug("user not found") logger.debug("user not found")
return fail_response return fail_response
# if the jwt cookie is expiring soon
if jwt_source == "cookie" and expiration - JWT_REFRESH <= current_time:
logger.debug("jwt token expiring soon, refreshing cookie")
new_expiration = current_time + JWT_SESSION_LENGTH new_expiration = current_time + JWT_SESSION_LENGTH
new_encoded_jwt = create_encoded_jwt( new_encoded_jwt = create_encoded_jwt(
user, role, new_expiration, request.app.jwt_token user, role, new_expiration, request.app.jwt_token

2
frigate/config/auth.py
View File

@ -20,7 +20,7 @@ class AuthConfig(FrigateBaseModel):
default=86400, title="Session length for jwt session tokens", ge=60 default=86400, title="Session length for jwt session tokens", ge=60
) )
refresh_time: int = Field( refresh_time: int = Field(
default=43200, default=1800,
title="Refresh the session if it is going to expire in this many seconds", title="Refresh the session if it is going to expire in this many seconds",
ge=30, ge=30,
) )