diff --git a/ecs/jskult-webapp/src/depends/auth.py b/ecs/jskult-webapp/src/depends/auth.py index 308704a9..f2383d4e 100644 --- a/ecs/jskult-webapp/src/depends/auth.py +++ b/ecs/jskult-webapp/src/depends/auth.py @@ -8,7 +8,7 @@ from src.error.exceptions import JWTTokenVerifyException from src.logging.get_logger import get_logger from src.model.internal.jwt_token import JWTToken from src.model.internal.session import UserSession -from src.services.session_service import get_session +from src.services.session_service import get_session, set_session from src.system_var import environment logger = get_logger('認証チェック') @@ -16,7 +16,7 @@ cookie_security = APIKeyCookie(name='session', auto_error=False) code_security = APIKeyQuery(name='code', auto_error=False) -def get_current_session(session_key=Depends(cookie_security)): +def get_current_session(session_key=Depends(cookie_security)) -> Union[UserSession, None]: if session_key is None: return None @@ -26,7 +26,7 @@ def get_current_session(session_key=Depends(cookie_security)): return session -def check_session_expired(session: Union[UserSession, None] = Depends(get_current_session)): +def check_session_expired(session: Union[UserSession, None] = Depends(get_current_session)) -> Union[UserSession, None]: """セッションの最後にアクセスした時間が、セッション有効期限切れであるかどうかをチェックする""" if session is None: return None @@ -42,14 +42,19 @@ def check_session_expired(session: Union[UserSession, None] = Depends(get_curren return session -def verify_session(session: Union[UserSession, None] = Depends(check_session_expired)): +def verify_session(session: Union[UserSession, None] = Depends(check_session_expired)) -> Union[UserSession, None]: if session is None: return None jwt_token = JWTToken(session.id_token, session.refresh_token) try: - jwt_token.verify_token() + verified_token = jwt_token.verify_token() except JWTTokenVerifyException as e: logger.info(e) return None - # FIXME: ここで検証後のセッションになっていないのでは? + + # IDトークンがリフレッシュされた場合、セッションに詰め直して更新 + if verified_token.is_refreshed: + session.update(actions=[UserSession.id_token.set(verified_token.id_token)]) + set_session(session) + session.id_token = verified_token.id_token return session diff --git a/ecs/jskult-webapp/src/model/internal/jwt_token.py b/ecs/jskult-webapp/src/model/internal/jwt_token.py index 07bbab0b..69865846 100644 --- a/ecs/jskult-webapp/src/model/internal/jwt_token.py +++ b/ecs/jskult-webapp/src/model/internal/jwt_token.py @@ -18,11 +18,13 @@ class JWTToken: id_token: str refresh_token: str verified_jwt: Optional[dict] + is_refreshed: Optional[bool] - def __init__(self, id_token: str, refresh_token: str, verified_jwt: dict = None) -> None: + def __init__(self, id_token: str, refresh_token: str, verified_jwt: dict = None, is_refreshed: bool = False): self.id_token = id_token self.refresh_token = refresh_token self.verified_jwt = verified_jwt + self.is_refreshed = is_refreshed @property def verified_token(self): @@ -118,7 +120,7 @@ class JWTToken: token_response = json.loads(res.text) return cls(id_token=token_response['id_token'], refresh_token=refresh_token) - def verify_token(self): + def verify_token(self, is_refreshed=False): if self.id_token is None: raise Exception('アクセストークンがない') @@ -146,7 +148,8 @@ class JWTToken: except jwt.ExpiredSignatureError: logger.info('IDトークンの有効期限が切れたため、トークンをリフレッシュ') refreshed_jwt_token = JWTToken.refresh(self.refresh_token) - return refreshed_jwt_token.verified_token() + # リフレッシュ後のトークンを再度検証 + return refreshed_jwt_token.verify_token(is_refreshed=True) # 有効期限以外の検証に失敗した場合は例外とする except jwt.InvalidTokenError as e: raise JWTTokenVerifyException('Invalid token', e) @@ -157,5 +160,6 @@ class JWTToken: return JWTToken( id_token=self.id_token, refresh_token=self.refresh_token, - verified_jwt=verified_jwt + verified_jwt=verified_jwt, + is_refreshed=is_refreshed )