Fixed bug in authentication when tokens are invalid.

open-schnick · open-schnick · commit d0de0356b7d2 · 2021-05-27T16:05:35.000+02:00
diff --git a/src/main/java/de/filefighter/rest/domain/authentication/AuthenticationBusinessService.java b/src/main/java/de/filefighter/rest/domain/authentication/AuthenticationBusinessService.java
@@ -2,6 +2,7 @@
 
 import de.filefighter.rest.domain.common.InputSanitizerService;
 import de.filefighter.rest.domain.common.exceptions.RequestDidntMeetFormalRequirementsException;
+import de.filefighter.rest.domain.token.business.AccessTokenBusinessService;
 import de.filefighter.rest.domain.token.data.dto.AccessToken;
 import de.filefighter.rest.domain.user.business.UserDTOService;
 import de.filefighter.rest.domain.user.data.dto.User;
@@ -24,12 +25,14 @@ public class AuthenticationBusinessService {
     private final UserDTOService userDtoService;
     private final InputSanitizerService inputSanitizerService;
     private final PasswordEncoder passwordEncoder;
+    private final AccessTokenBusinessService accessTokenBusinessService;
 
-    public AuthenticationBusinessService(UserRepository userRepository, UserDTOService userDtoService, InputSanitizerService inputSanitizerService, PasswordEncoder passwordEncoder) {
+    public AuthenticationBusinessService(UserRepository userRepository, UserDTOService userDtoService, InputSanitizerService inputSanitizerService, PasswordEncoder passwordEncoder, AccessTokenBusinessService accessTokenBusinessService) {
         this.userRepository = userRepository;
         this.userDtoService = userDtoService;
         this.inputSanitizerService = inputSanitizerService;
         this.passwordEncoder = passwordEncoder;
+        this.accessTokenBusinessService = accessTokenBusinessService;
     }
 
     public User authenticateUserWithUsernameAndPassword(String base64encodedUserAndPassword) {
@@ -72,11 +75,16 @@ public User authenticateUserWithRefreshToken(String refreshToken) {
     }
 
     public User authenticateUserWithAccessToken(AccessToken accessToken) {
-        UserEntity userEntity = userRepository.findByUserId(accessToken.getUserId());
-        if (null == userEntity)
-            throw new UserNotAuthenticatedException(accessToken.getUserId());
-
-        return userDtoService.createDto(userEntity);
+        if (accessTokenBusinessService.accessTokenIsInvalid(accessToken.getValidUntil())) {
+            log.debug("AccessToken used for auth was invalid: " + accessToken);
+            throw new UserNotAuthenticatedException("AccessToken was not valid anymore.");
+        } else {
+            UserEntity userEntity = userRepository.findByUserId(accessToken.getUserId());
+            if (null == userEntity)
+                throw new UserNotAuthenticatedException(accessToken.getUserId());
+
+            return userDtoService.createDto(userEntity);
+        }
     }
 
     public void authenticateUserWithAccessTokenAndGroup(AccessToken accessToken, Group groups) {
diff --git a/src/main/java/de/filefighter/rest/domain/token/business/AccessTokenBusinessService.java b/src/main/java/de/filefighter/rest/domain/token/business/AccessTokenBusinessService.java
@@ -27,6 +27,7 @@ public AccessTokenBusinessService(AccessTokenRepository accessTokenRepository, A
         this.accessTokenDtoService = accessTokenDtoService;
     }
 
+    // basically auth with refresh token.
     public AccessToken getValidAccessTokenForUser(User user) {
         long userId = user.getUserId();
         AccessTokenEntity accessTokenEntity = accessTokenRepository.findByUserId(userId);
@@ -40,21 +41,19 @@ public AccessToken getValidAccessTokenForUser(User user) {
                     .userId(userId)
                     .build();
             accessTokenEntity = accessTokenRepository.save(accessTokenEntity);
-        } else {
-            if (currentTimeSeconds + ACCESS_TOKEN_SAFETY_MARGIN > accessTokenEntity.getValidUntil()) {
-                log.info("Deleting AccessToken for UserId {}, because its invalid now.", userId);
-                long deletedTokenAmount = accessTokenRepository.deleteByUserId(userId);
-                if (1L != deletedTokenAmount)
-                    throw new FileFighterDataException("AccessToken for userId " + userId + " could not be deleted.");
-
-                accessTokenEntity = AccessTokenEntity
-                        .builder()
-                        .validUntil(currentTimeSeconds + ACCESS_TOKEN_DURATION_IN_SECONDS)
-                        .value(generateRandomTokenValue())
-                        .userId(userId)
-                        .build();
-                accessTokenEntity = accessTokenRepository.save(accessTokenEntity);
-            }
+        } else if (accessTokenIsInvalid(accessTokenEntity.getValidUntil())) {
+            log.debug("Deleting AccessToken for UserId {}, because its invalid now.", userId);
+            long deletedTokenAmount = accessTokenRepository.deleteByUserId(userId);
+            if (1L != deletedTokenAmount)
+                throw new FileFighterDataException("AccessToken for userId " + userId + " could not be deleted.");
+
+            accessTokenEntity = AccessTokenEntity
+                    .builder()
+                    .validUntil(currentTimeSeconds + ACCESS_TOKEN_DURATION_IN_SECONDS)
+                    .value(generateRandomTokenValue())
+                    .userId(userId)
+                    .build();
+            accessTokenEntity = accessTokenRepository.save(accessTokenEntity);
         }
 
         return accessTokenDtoService.createDto(accessTokenEntity);
@@ -76,6 +75,10 @@ public AccessToken findAccessTokenByValue(String accessTokenValue) {
         return accessTokenDtoService.createDto(accessTokenEntity);
     }
 
+    public boolean accessTokenIsInvalid(long timeStampToTest) {
+        return (Instant.now().getEpochSecond() + ACCESS_TOKEN_SAFETY_MARGIN > timeStampToTest);
+    }
+
     public static String generateRandomTokenValue() {
         return UUID.randomUUID().toString();
     }
diff --git a/src/test/java/de/filefighter/rest/domain/authentication/AuthenticationBusinessServiceUnitTest.java b/src/test/java/de/filefighter/rest/domain/authentication/AuthenticationBusinessServiceUnitTest.java
@@ -2,6 +2,7 @@
 
 import de.filefighter.rest.domain.common.InputSanitizerService;
 import de.filefighter.rest.domain.common.exceptions.RequestDidntMeetFormalRequirementsException;
+import de.filefighter.rest.domain.token.business.AccessTokenBusinessService;
 import de.filefighter.rest.domain.token.data.dto.AccessToken;
 import de.filefighter.rest.domain.user.business.UserDTOService;
 import de.filefighter.rest.domain.user.data.dto.User;
@@ -28,12 +29,14 @@ class AuthenticationBusinessServiceUnitTest {
     private final UserDTOService userDtoServiceMock = mock(UserDTOService.class);
     private final InputSanitizerService inputSanitizerServiceMock = mock(InputSanitizerService.class);
     private final PasswordEncoder passwordEncoderMock = mock(PasswordEncoder.class);
+    private final AccessTokenBusinessService accessTokenBusinessServiceMock = mock(AccessTokenBusinessService.class);
     private final AuthenticationBusinessService authenticationBusinessService =
             new AuthenticationBusinessService(
                     userRepositoryMock,
                     userDtoServiceMock,
                     inputSanitizerServiceMock,
-                    passwordEncoderMock);
+                    passwordEncoderMock,
+                    accessTokenBusinessServiceMock);
 
     @Test
     void authenticateUserWithUsernameAndPasswordThrows() {
@@ -120,12 +123,20 @@ void authenticateUserWithRefreshTokenWorksCorrectly() {
     @Test
     void authenticateUserWithAccessTokenThrows() {
         long userId = 420;
-        AccessToken accessToken = AccessToken.builder().userId(userId).build();
+        long timer = 123872183;
+        AccessToken accessToken = AccessToken.builder().userId(userId).validUntil(timer).build();
 
-        when(userRepositoryMock.findByUserId(userId)).thenReturn(null);
+        when(accessTokenBusinessServiceMock.accessTokenIsInvalid(timer)).thenReturn(true);
 
         UserNotAuthenticatedException ex = assertThrows(UserNotAuthenticatedException.class, () ->
                 authenticationBusinessService.authenticateUserWithAccessToken(accessToken));
+        assertEquals(UserNotAuthenticatedException.getErrorMessagePrefix() + " AccessToken was not valid anymore.", ex.getMessage());
+
+        when(userRepositoryMock.findByUserId(userId)).thenReturn(null);
+        when(accessTokenBusinessServiceMock.accessTokenIsInvalid(timer)).thenReturn(false);
+
+        ex = assertThrows(UserNotAuthenticatedException.class, () ->
+                authenticationBusinessService.authenticateUserWithAccessToken(accessToken));
         assertEquals(UserNotAuthenticatedException.getErrorMessagePrefix() + " UserId was " + userId, ex.getMessage());
     }
 
