Skip to content

Commit c5d11bd

Browse files
Mert-ZMert-Z
authored
Merge pull request #6 from Mert-Z/issue/#5
Issue#5 - Unable to request access token using refresh token, internal server error
2 parents c09dff1 + 36fcfeb commit c5d11bd

File tree

2 files changed

+102
-0
lines changed

2 files changed

+102
-0
lines changed

src/main/java/mertz/security/oauth2/provider/token/store/cassandra/CassandraTokenStore.java

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -312,6 +312,10 @@ public void removeAccessTokenUsingRefreshToken(OAuth2RefreshToken refreshToken)
312312
if (refreshTokenToAccessToken != null) {
313313
String accessTokenKey = refreshTokenToAccessToken.getAccessTokenKey();
314314
AccessToken accessToken = accessTokenRepository.findOne(accessTokenKey);
315+
if (accessToken == null) {
316+
// access token removed already or expired.
317+
return;
318+
}
315319
String jsonOAuth2AccessToken = accessToken.getoAuth2AccessToken();
316320
OAuth2AccessToken oAuth2AccessToken = OAuthUtil.deserializeOAuth2AccessToken(jsonOAuth2AccessToken);
317321
// Delete access token from all related tables

src/test/java/mertz/security/oauth2/provider/token/store/cassandra/CassandraTokenStoreTests.java

Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,29 @@
11
package mertz.security.oauth2.provider.token.store.cassandra;
22

3+
import static org.junit.Assert.*;
4+
5+
import java.util.Collection;
6+
import java.util.Date;
7+
import java.util.UUID;
8+
39
import org.junit.Before;
10+
import org.junit.Test;
411
import org.junit.runner.RunWith;
512
import org.springframework.beans.factory.annotation.Autowired;
613
import org.springframework.boot.test.context.ConfigFileApplicationContextInitializer;
714
import org.springframework.context.annotation.ComponentScan;
815
import org.springframework.context.annotation.Configuration;
916
import org.springframework.data.cassandra.core.CassandraOperations;
1017
import org.springframework.data.cassandra.mapping.CassandraMappingContext;
18+
import org.springframework.security.authentication.TestingAuthenticationToken;
19+
import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
20+
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
21+
import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
22+
import org.springframework.security.oauth2.common.OAuth2AccessToken;
23+
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
24+
import org.springframework.security.oauth2.provider.OAuth2Authentication;
25+
import org.springframework.security.oauth2.provider.OAuth2Request;
26+
import org.springframework.security.oauth2.provider.RequestTokenFactory;
1127
import org.springframework.security.oauth2.provider.token.TokenStore;
1228
import org.springframework.security.oauth2.provider.token.store.TokenStoreBaseTests;
1329
import org.springframework.test.context.ActiveProfiles;
@@ -44,4 +60,86 @@ public static class SpringConfig {
4460

4561
}
4662

63+
@Test
64+
public void testExpiringRefreshToken() throws InterruptedException {
65+
String refreshToken = "refreshToken-" + UUID.randomUUID();
66+
DefaultOAuth2RefreshToken expectedExpiringRefreshToken = new DefaultExpiringOAuth2RefreshToken(refreshToken, new Date(System.currentTimeMillis() + 2000));
67+
OAuth2Authentication expectedAuthentication = new OAuth2Authentication(RequestTokenFactory.createOAuth2Request("id", false), new TestAuthentication("test2", false));
68+
getTokenStore().storeRefreshToken(expectedExpiringRefreshToken, expectedAuthentication);
69+
OAuth2RefreshToken actualExpiringRefreshToken = getTokenStore().readRefreshToken(refreshToken);
70+
assertEquals(expectedExpiringRefreshToken, actualExpiringRefreshToken);
71+
assertEquals(expectedAuthentication, getTokenStore().readAuthenticationForRefreshToken(expectedExpiringRefreshToken));
72+
// let the token expire
73+
Thread.sleep(5000);
74+
// now it should be gone
75+
assertNull(getTokenStore().readRefreshToken(refreshToken));
76+
assertNull(getTokenStore().readAuthenticationForRefreshToken(expectedExpiringRefreshToken));
77+
}
78+
79+
@Test
80+
public void testExpiringAccessToken() throws InterruptedException {
81+
String accessToken = "accessToken-" + UUID.randomUUID();
82+
OAuth2Authentication expectedAuthentication = new OAuth2Authentication(RequestTokenFactory.createOAuth2Request("id", false), new TestAuthentication("test2", false));
83+
DefaultOAuth2AccessToken expectedOAuth2AccessToken = new DefaultOAuth2AccessToken(accessToken);
84+
expectedOAuth2AccessToken.setExpiration(new Date(System.currentTimeMillis() + 2000));
85+
getTokenStore().storeAccessToken(expectedOAuth2AccessToken, expectedAuthentication);
86+
OAuth2AccessToken actualOAuth2AccessToken = getTokenStore().readAccessToken(accessToken);
87+
assertEquals(expectedOAuth2AccessToken, actualOAuth2AccessToken);
88+
assertEquals(expectedAuthentication, getTokenStore().readAuthentication(expectedOAuth2AccessToken));
89+
// let the token expire
90+
Thread.sleep(5000);
91+
// now it should be gone
92+
assertNull(getTokenStore().readAccessToken(accessToken));
93+
assertNull(getTokenStore().readAuthentication(expectedOAuth2AccessToken));
94+
}
95+
96+
@Test
97+
public void storeAccessTokenWithoutRefreshTokenRemoveAccessTokenVerifyTokenRemoved() {
98+
OAuth2Request request = RequestTokenFactory.createOAuth2Request("clientId", false);
99+
TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "password");
100+
String accessToken = "accessToken-" + UUID.randomUUID();
101+
OAuth2AccessToken oauth2AccessToken = new DefaultOAuth2AccessToken(accessToken);
102+
OAuth2Authentication oauth2Authentication = new OAuth2Authentication(request, authentication);
103+
getTokenStore().storeAccessToken(oauth2AccessToken, oauth2Authentication);
104+
getTokenStore().removeAccessToken(oauth2AccessToken);
105+
Collection<OAuth2AccessToken> oauth2AccessTokens = getTokenStore().findTokensByClientId(request.getClientId());
106+
assertTrue(oauth2AccessTokens.isEmpty());
107+
}
108+
109+
@Test
110+
public void storeExpiringAccessTokenWithRefreshToken_RemoveExpiredAccessTokenUsingRefreshToken() throws InterruptedException {
111+
String accessToken = "accessToken-" + UUID.randomUUID();
112+
OAuth2Authentication expectedAuthentication = new OAuth2Authentication(RequestTokenFactory.createOAuth2Request("id", false), new TestAuthentication("test2", false));
113+
DefaultOAuth2AccessToken expectedOAuth2AccessToken = new DefaultOAuth2AccessToken(accessToken);
114+
expectedOAuth2AccessToken.setExpiration(new Date(System.currentTimeMillis() + 2000));
115+
String refreshToken = "refreshToken-" + UUID.randomUUID();
116+
DefaultOAuth2RefreshToken expectedRefreshToken = new DefaultOAuth2RefreshToken(refreshToken);
117+
expectedOAuth2AccessToken.setRefreshToken(expectedRefreshToken);
118+
getTokenStore().storeAccessToken(expectedOAuth2AccessToken, expectedAuthentication);
119+
// let the access token expire
120+
Thread.sleep(5000);
121+
// now it should be gone
122+
assertNull(getTokenStore().readAccessToken(accessToken));
123+
// use refresh token to remove already expired access token, expect no issues since access token has already been removed.
124+
getTokenStore().removeAccessTokenUsingRefreshToken(expectedRefreshToken);
125+
}
126+
127+
@Test
128+
public void storeAccessTokenWithRefreshToken_RemoveAccessTokenUsingRefreshToken() throws InterruptedException {
129+
String accessToken = "accessToken-" + UUID.randomUUID();
130+
OAuth2Authentication expectedAuthentication = new OAuth2Authentication(RequestTokenFactory.createOAuth2Request("id", false), new TestAuthentication("test2", false));
131+
DefaultOAuth2AccessToken expectedOAuth2AccessToken = new DefaultOAuth2AccessToken(accessToken);
132+
String refreshToken = "refreshToken-" + UUID.randomUUID();
133+
DefaultOAuth2RefreshToken expectedRefreshToken = new DefaultOAuth2RefreshToken(refreshToken);
134+
expectedOAuth2AccessToken.setRefreshToken(expectedRefreshToken);
135+
getTokenStore().storeAccessToken(expectedOAuth2AccessToken, expectedAuthentication);
136+
// make sure access token is in the repository
137+
OAuth2AccessToken actualOAuth2AccessToken = getTokenStore().readAccessToken(accessToken);
138+
assertEquals(expectedOAuth2AccessToken, actualOAuth2AccessToken);
139+
// use refresh token to remove access token
140+
getTokenStore().removeAccessTokenUsingRefreshToken(expectedRefreshToken);
141+
// now it should be gone
142+
assertNull(getTokenStore().readAccessToken(accessToken));
143+
}
144+
47145
}

0 commit comments

Comments
 (0)