Remove duplicate expiration check, add a log

2 weeks ago · 93753b4a67
2 changed files with 9 additions and 12 deletions
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@ -53,7 +53,7 @@ async fn login(data: Form<ConnectData>, client_header: ClientHeaders, mut conn:
    let login_result = match data.grant_type.as_ref() {
        "refresh_token" => {
            _check_is_some(&data.refresh_token, "refresh_token cannot be blank")?;
-            _refresh_login(data, &mut conn).await
+            _refresh_login(data, &mut conn, &client_header.ip).await
        }
        "password" if CONFIG.sso_enabled() && CONFIG.sso_only() => err!("SSO sign-in is required"),
        "password" => {
@ -124,7 +124,7 @@ async fn login(data: Form<ConnectData>, client_header: ClientHeaders, mut conn:
 }

 // Return Status::Unauthorized to trigger logout
-async fn _refresh_login(data: ConnectData, conn: &mut DbConn) -> JsonResult {
+async fn _refresh_login(data: ConnectData, conn: &mut DbConn, ip: &ClientIp) -> JsonResult {
    // Extract token
    let refresh_token = match data.refresh_token {
        Some(token) => token,
@ -137,7 +137,7 @@ async fn _refresh_login(data: ConnectData, conn: &mut DbConn) -> JsonResult {
    // See: https://github.com/dani-garcia/vaultwarden/issues/4156
    // ---
    // let members = Membership::find_confirmed_by_user(&user.uuid, conn).await;
-    match auth::refresh_tokens(&refresh_token, conn).await {
+    match auth::refresh_tokens(ip, &refresh_token, conn).await {
        Err(err) => {
            err_code!(format!("Unable to refresh login credentials: {}", err.message()), Status::Unauthorized.code)
        }
--- a/src/auth.rs
+++ b/src/auth.rs
@ -112,7 +112,7 @@ pub fn decode_jwt<T: DeserializeOwned>(token: &str, issuer: String) -> Result<T,
            ErrorKind::InvalidToken => err!("Token is invalid"),
            ErrorKind::InvalidIssuer => err!("Issuer is invalid"),
            ErrorKind::ExpiredSignature => err!("Token has expired"),
-            _ => err!("Error decoding JWT"),
+            _ => err!(format!("Error decoding JWT: {:?}", err)),
        },
    }
 }
@ -1177,11 +1177,12 @@ impl AuthTokens {
    }
 }

-pub async fn refresh_tokens(refresh_token: &str, conn: &mut DbConn) -> ApiResult<(Device, AuthTokens)> {
-    let time_now = Utc::now();
-
+pub async fn refresh_tokens(ip: &ClientIp, refresh_token: &str, conn: &mut DbConn) -> ApiResult<(Device, AuthTokens)> {
    let refresh_claims = match decode_refresh(refresh_token) {
-        Err(err) => err_silent!(format!("Impossible to read refresh_token: {}", err.message())),
+        Err(err) => {
+            debug!("Failed to decode {} refresh_token: {refresh_token}", ip.ip);
+            err_silent!(format!("Impossible to read refresh_token: {}", err.message()))
+        }
        Ok(claims) => claims,
    };

@ -1199,10 +1200,6 @@ pub async fn refresh_tokens(refresh_token: &str, conn: &mut DbConn) -> ApiResult
        Some(user) => user,
    };

-    if refresh_claims.exp < time_now.timestamp() {
-        err!("Expired refresh token");
-    }
-
    let auth_tokens = match refresh_claims.sub {
        AuthMethod::Sso if CONFIG.sso_enabled() && CONFIG.sso_auth_only_not_session() => {
            AuthTokens::new(&device, &user, refresh_claims.sub)