From 6be1f6674c024e8c5f84786f7f99f01a04d4d71b Mon Sep 17 00:00:00 2001 From: Ilya Kreymer Date: Wed, 19 Mar 2025 10:07:09 -0700 Subject: [PATCH] fixes token lifetime bug / improve security (#2490) - fix jwt_token_lifetime being in hours, not minutes, remove extra * 60 - don't return userids in user list for org admins, instead just key users by email, which is already unique --- backend/btrixcloud/auth.py | 2 +- backend/btrixcloud/models.py | 8 ++++++-- backend/test/test_api.py | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/backend/btrixcloud/auth.py b/backend/btrixcloud/auth.py index 03923171..60e8acd5 100644 --- a/backend/btrixcloud/auth.py +++ b/backend/btrixcloud/auth.py @@ -28,7 +28,7 @@ from .utils import dt_now # ============================================================================ PASSWORD_SECRET = os.environ.get("PASSWORD_SECRET", uuid4().hex) -JWT_TOKEN_LIFETIME = int(os.environ.get("JWT_TOKEN_LIFETIME_MINUTES", 60)) * 60 +JWT_TOKEN_LIFETIME = int(os.environ.get("JWT_TOKEN_LIFETIME_MINUTES", 60)) BTRIX_SUBS_APP_API_KEY = os.environ.get("BTRIX_SUBS_APP_API_KEY", "") diff --git a/backend/btrixcloud/models.py b/backend/btrixcloud/models.py index 3506a757..4af481e7 100644 --- a/backend/btrixcloud/models.py +++ b/backend/btrixcloud/models.py @@ -2063,10 +2063,14 @@ class Organization(BaseMongoModel): if not role: continue - result["users"][id_] = { + email = org_user.get("email") + if not email: + continue + + result["users"][email] = { "role": role, "name": org_user.get("name", ""), - "email": org_user.get("email", ""), + "email": email, } return OrgOut.from_dict(result) diff --git a/backend/test/test_api.py b/backend/test/test_api.py index 181f7236..dd2b148e 100644 --- a/backend/test/test_api.py +++ b/backend/test/test_api.py @@ -40,7 +40,7 @@ def test_api_settings(): assert data == { "registrationEnabled": False, - "jwtTokenLifetime": 86400, + "jwtTokenLifetime": 1440, "defaultBehaviorTimeSeconds": 300, "maxPagesPerCrawl": 4, "numBrowsers": 2,