mgr/dashboard: raise exception on oauth2 sso expired token

Fixes: https://tracker.ceph.com/issues/76478
Signed-off-by: Pedro Gonzalez Gomez <pegonzal@ibm.com>

diff --git a/src/pybind/mgr/dashboard/controllers/oauth2.py b/src/pybind/mgr/dashboard/controllers/oauth2.py
index ae37c4ac1f7f68d3b45f06b9f75d724514ea5171..c87aef896924e177cfe06c0c72ad920ca5de7ca7 100644 (file)
--- a/src/pybind/mgr/dashboard/controllers/oauth2.py
+++ b/src/pybind/mgr/dashboard/controllers/oauth2.py
@@ -18,6 +18,9 @@ class Oauth2(RESTController):
         if not token:
             raise cherrypy.HTTPError()
 
+        if OAuth2.is_token_expired(token):
+            raise cherrypy.HTTPError(401, 'Your session has expired. Please log in again.')
+
         raise cherrypy.HTTPRedirect(OAuth2.get_login_redirect_url(token))
 
     @Endpoint(json_response=False, version=None)

diff --git a/src/pybind/mgr/dashboard/services/auth/oauth2.py b/src/pybind/mgr/dashboard/services/auth/oauth2.py
index dc0620ea3f9137e973336b90c07bd2d910160786..b000c2f75bafb6f761fce12f444b38fa21c59858 100644 (file)
--- a/src/pybind/mgr/dashboard/services/auth/oauth2.py
+++ b/src/pybind/mgr/dashboard/services/auth/oauth2.py
@@ -2,6 +2,7 @@
 import importlib
 import json
 import logging
+import time
 from typing import Dict, List
 from urllib.parse import quote
 
@@ -146,6 +147,14 @@ class OAuth2(SSOAuth):
         except AttributeError:
             raise cherrypy.HTTPError()
 
+    @classmethod
+    def is_token_expired(cls, token: str) -> bool:
+        try:
+            payload = decode_jwt_segment(token.split(".")[1])
+            return time.time() > payload.get('exp', 0)
+        except Exception:
+            return True
+
     @classmethod
     def get_token_iss(cls, token=''):
         if token: