TokenRedisStore¶
- class gafaelfawr.storage.token.TokenRedisStore(storage, slack_client, logger)¶
Bases:
objectStores and retrieves token data in Redis.
Tokens are stored with the key of the token as the Redis key and the data of the token as encrypted JSON, including the secret portion of the token. To retrieve a token, the caller must provide the full token and the secret in the token must match the secret retrieved from Redis.
This setup means that an attacker who can list the keys in Redis cannot use those keys directly as tokens and still needs access to the stored Redis data plus the decryption key to be able to reconstruct a token.
- Parameters:
storage (
EncryptedPydanticRedisStorage[TokenData]) – Underlying storage for token data.slack_client (
SlackWebhookClient|None) – If provided, Slack webhook client to report deserialization errors of Redis data.logger (
BoundLogger) – Logger for diagnostics.
Methods Summary
delete(key)Delete a token from Redis.
Delete all stored tokens.
get_data(token)Retrieve the data for a token from Redis.
get_data_by_key(key)Retrieve the data for a token from Redis by its key.
list()List all token keys stored in Redis.
store_data(data)Store the data for a token.
Methods Documentation
- async delete(key)¶
Delete a token from Redis.
This only requires the token key, not the full token, so that users can delete tokens for their account without needing possession of the token.
- async get_data(token)¶
Retrieve the data for a token from Redis.
Doubles as a way to check the validity of the token.
- async get_data_by_key(key)¶
Retrieve the data for a token from Redis by its key.
This method allows retrieving a working token while bypassing the check that the caller is in possession of the secret, and therefore must never be used with user-supplied keys.
- async list()¶
List all token keys stored in Redis.