fixes token lifetime bug / improve security (#2490)

- fix jwt_token_lifetime being in hours, not minutes, remove extra * 60
- don't return userids in user list for org admins, instead just key
users by email, which is already unique

backend/btrixcloud/auth.py

@@ -28,7 +28,7 @@ from .utils import dt_now
 # ============================================================================
 PASSWORD_SECRET = os.environ.get("PASSWORD_SECRET", uuid4().hex)
 
-JWT_TOKEN_LIFETIME = int(os.environ.get("JWT_TOKEN_LIFETIME_MINUTES", 60)) * 60
+JWT_TOKEN_LIFETIME = int(os.environ.get("JWT_TOKEN_LIFETIME_MINUTES", 60))
 
 BTRIX_SUBS_APP_API_KEY = os.environ.get("BTRIX_SUBS_APP_API_KEY", "")
 

backend/btrixcloud/models.py

@@ -2063,10 +2063,14 @@ class Organization(BaseMongoModel):
                 if not role:
                     continue
 
-                result["users"][id_] = {
+                email = org_user.get("email")
+                if not email:
+                    continue
+
+                result["users"][email] = {
                     "role": role,
                     "name": org_user.get("name", ""),
-                    "email": org_user.get("email", ""),
+                    "email": email,
                 }
 
         return OrgOut.from_dict(result)

backend/test/test_api.py

@@ -40,7 +40,7 @@ def test_api_settings():
 
     assert data == {
         "registrationEnabled": False,
-        "jwtTokenLifetime": 86400,
+        "jwtTokenLifetime": 1440,
         "defaultBehaviorTimeSeconds": 300,
         "maxPagesPerCrawl": 4,
         "numBrowsers": 2,