Merge pull request #10 from RadiusNetworks/check-token-expiry

set token expiry in session and check expiry when authenticating

Author: csexton

app/controllers/kracken/sessions_controller.rb

@@ -11,6 +11,7 @@ def create
       current_user = @user
       session[:user_id] = @user.id
       session[:user_cache_key] = cookies[:_radius_user_cache_key]
+      session[:token_expires_at] = Time.zone.at(auth_hash[:credentials][:expires_at])
       redirect_to return_to_path
     end
 

lib/kracken/controllers/authenticatable.rb

@@ -34,6 +34,7 @@ def authenticate_user
       end
 
       def authenticate_user!
+        check_token_expiry!
         unless user_signed_in?
           if request.format == :json
             render json: {error: '401 Unauthorized'}, status: :unauthorized
@@ -43,6 +44,12 @@ def authenticate_user!
         end
       end
 
+      def check_token_expiry!
+        if session[:token_expires_at].nil? || session[:token_expires_at] < Time.zone.now
+          session.delete :user_id
+        end
+      end
+
       # We needed a way to update the user information on kracken and
       # automatically update all the client apps. Instead of pushing changes
       # to all the apps we added a cookie that will act as an indicator that

spec/kracken/controllers/authenticatable_spec.rb

@@ -92,6 +92,22 @@ class ControllerDouble < BaseControllerDouble
         end
 
 
+        it "redirects to sign-in when token has expired" do
+          allow(controller).to receive(:request).and_return(double(format: nil, fullpath: nil))
+          allow(controller).to receive(:redirect_to)
+          controller.session[:token_expires_at] = Time.zone.now - 5.minutes
+          controller.authenticate_user!
+          expect(controller).to have_received(:redirect_to)
+        end
+
+        it "authenticates user when token has not expired" do
+          allow(controller).to receive(:request).and_return(double(format: nil, fullpath: nil))
+          allow(controller).to receive(:redirect_to)
+          controller.session[:token_expires_at] = Time.zone.now + 5.minutes
+          controller.authenticate_user!
+          expect(controller).to_not have_received(:redirect_to)
+        end
+
         context "user cache cookie" do
           it "nothing if the cache cookie does not exist" do
             allow(controller).to receive(:request).and_return(double(format: nil, fullpath: nil))

spec/requests/authentication_spec.rb

@@ -2,6 +2,18 @@
 
 module Kracken
   RSpec.describe "authenticatable resource requests", type: :request do
+    let(:token_expiry) {1441650437}
+    let(:auth_hash) {
+      {
+        "credentials"=>{
+          "token"=>"8675c978497731f60ecdea6787c4316b",
+          "refresh_token"=>"7340329b1e0d7a6749bdfb2ca1597360",
+          "expires_at"=>token_expiry,
+          "expires"=>true
+        }
+      }
+    }
+
     def headers_with_token(token)
       { 'HTTP_AUTHORIZATION'=>"Token token=\"#{token}\"" }
     end
@@ -16,5 +28,10 @@ def headers_with_token(token)
       expect(response.status).to be 200
     end
 
+    it "sets :token_expires_at in the session" do
+      OmniAuth.config.mock_auth[:radius] = OmniAuth::AuthHash.new(auth_hash)
+      get "/auth/radius/callback"
+      expect(request.session[:token_expires_at]).to eq(Time.zone.at(token_expiry))
+    end
   end
 end