✨(backend) Fix access token storage issues

joehybird · joehybird · commit 69e5346486cc · 2025-11-20T16:18:52.000+01:00
When indexer service is not configured, the search view should work
event with a disabled OIDC_STORE_ACCESS_TOKEN.
Disable token storage for the unit tests.
Add bin/fernetkey that generates a key for the OIDC_STORE_REFRESH_TOKEN_KEY
setting.

Signed-off-by: Fabre Florian &lt;ffabre@hybird.org&gt;
diff --git a/bin/fernetkey b/bin/fernetkey
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# shellcheck source=bin/_config.sh
+source "$(dirname "${BASH_SOURCE[0]}")/_config.sh"
+
+_dc_run app-dev python -c 'from cryptography.fernet import Fernet;import sys; sys.stdout.write("\n" + Fernet.generate_key().decode() + "\n");'
diff --git a/env.d/development/common b/env.d/development/common
@@ -81,5 +81,8 @@ SEARCH_INDEXER_URL="http://find:8000/api/v1.0/documents/index/"
 SEARCH_INDEXER_QUERY_URL="http://find:8000/api/v1.0/documents/search/"
 
 # Store OIDC tokens in the session
-OIDC_STORE_ACCESS_TOKEN = True
-OIDC_STORE_REFRESH_TOKEN = True # Store the encrypted refresh token in the session.
+# OIDC_STORE_ACCESS_TOKEN = True
+# OIDC_STORE_REFRESH_TOKEN = True # Store the encrypted refresh token in the session.
+# Must be a valid Fernet key (32 url-safe base64-encoded bytes)
+# To create one, use the bin/fernetkey command.
+# OIDC_STORE_REFRESH_TOKEN_KEY="your-32-byte-encryption-key=="
diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
@@ -1012,7 +1012,8 @@ def breadcrumb(self, request, *args, **kwargs):
         return drf.response.Response(serializer.data, status=drf.status.HTTP_200_OK)
 
     # pylint: disable-next=too-many-arguments,too-many-positional-arguments
-    def _fulltext_search(self, queryset, indexer, request, text):
+    @method_decorator(refresh_oidc_access_token)
+    def _indexed_search(self, request, queryset, indexer, text):
         """
         Returns a queryset from the results the fulltext search of Find
         """
@@ -1021,16 +1022,19 @@ def _fulltext_search(self, queryset, indexer, request, text):
 
         # Retrieve the documents ids from Find. No pagination here the queryset is
         # already filtered
-        results = indexer.search(
-            text=text, token=token, visited=get_visited_items_ids_of(queryset, user)
-        )
+        result_ids = [
+            r["_id"]
+            for r in indexer.search(
+                text=text, token=token, visited=get_visited_items_ids_of(queryset, user)
+            )
+        ]
 
-        queryset = queryset.filter(pk__in=results)
+        queryset = queryset.filter(pk__in=result_ids)
         queryset = self.annotate_user_roles(queryset)
         queryset = self.annotate_is_favorite(queryset)
 
         files_by_uuid = {str(d.pk): d for d in queryset}
-        ordered_files = [files_by_uuid[id] for id in results if id in files_by_uuid]
+        ordered_files = [files_by_uuid[id] for id in result_ids if id in files_by_uuid]
 
         page = self.paginate_queryset(ordered_files)
 
@@ -1050,7 +1054,6 @@ def _fulltext_search(self, queryset, indexer, request, text):
         url_path="search",
         pagination_class=drf.pagination.PageNumberPagination,
     )
-    @method_decorator(refresh_oidc_access_token)
     def search(self, request, *args, **kwargs):
         """
         Returns a DRF response containing the filtered, annotated and ordered items.
@@ -1104,10 +1107,10 @@ def search(self, request, *args, **kwargs):
         if indexer:
             # When the indexer is configured pop "title" from queryset search and use
             # fulltext results instead.
-            return self._fulltext_search(
+            return self._indexed_search(
+                request,
                 queryset,
                 indexer,
-                request,
                 text=filterset.form.cleaned_data.pop("title"),
             )
 
diff --git a/src/backend/core/services/search_indexers.py b/src/backend/core/services/search_indexers.py
@@ -270,7 +270,7 @@ def search(self, text, token, visited=(), nb_results=None):
             token=token,
         )
 
-        return [d["_id"] for d in response]
+        return response
 
     @abstractmethod
     def search_query(self, data, token) -> dict:
diff --git a/src/backend/core/tests/conftest.py b/src/backend/core/tests/conftest.py
@@ -7,6 +7,7 @@
 
 import pytest
 import responses
+from cryptography.fernet import Fernet
 
 from core import factories
 from core.tests.utils.urls import reload_urls
@@ -143,6 +144,10 @@ def indexer_settings_fixture(settings):
     settings.SEARCH_INDEXER_ALLOWED_MIMETYPES = ("text/",)
     settings.SEARCH_INDEXER_COUNTDOWN = 1
 
+    settings.OIDC_STORE_ACCESS_TOKEN = True
+    settings.OIDC_STORE_REFRESH_TOKEN = True
+    settings.OIDC_STORE_REFRESH_TOKEN_KEY = Fernet.generate_key().decode()
+
     yield settings
 
     # clear cache to prevent issues with other tests
diff --git a/src/backend/drive/settings.py b/src/backend/drive/settings.py
@@ -995,6 +995,8 @@ class Test(Base):
     CELERY_TASK_ALWAYS_EAGER = values.BooleanValue(True)
 
     SEARCH_INDEXER_CLASS = None
+    OIDC_STORE_ACCESS_TOKEN = False
+    OIDC_STORE_REFRESH_TOKEN = False
 
     def __init__(self):
         # pylint: disable=invalid-name

Original file line number	Diff line number	Diff line change
`@@ -270,7 +270,7 @@ def search(self, text, token, visited=(), nb_results=None):`
`270`	`270`	`token=token,`
`271`	`271`	`)`
`272`	`272`
`273`		`- return [d["_id"] for d in response]`
	`273`	`+ return response`
`274`	`274`
`275`	`275`	`@abstractmethod`
`276`	`276`	`def search_query(self, data, token) -> dict:`