Performing a refresh of ReCodEx API token when frontend token is being refreshed.

Author: krulis-martin

app/helpers/Recodex/RecodexApiHelper.php

@@ -225,9 +225,9 @@ public function getTempTokenInstance(string $token): string
     /**
      * Complete the authentication process. Use tmp token to fetch full-token and user info.
      * The tmp token is expected to be set as the auth token already.
-     * @return array|null ['accessToken' => string, 'user' => RecodexUser] on success
+     * @return array ['accessToken' => string, 'user' => RecodexUser] on success
      */
-    public function getTokenAndUser(): ?array
+    public function getTokenAndUser(): array
     {
         Debugger::log('ReCodEx::getTokenAndUser()', Debugger::DEBUG);
         $body = $this->post('extensions/' . $this->extensionId);
@@ -240,6 +240,23 @@ public function getTokenAndUser(): ?array
         return $body;
     }
 
+    /**
+     * Refresh the token using ReCodEx API. The current token is expected to be set as the auth token already.
+     * @return array ['accessToken' => string, 'user' => RecodexUser] on success (same as getTokenAndUser())
+     */
+    public function refreshToken(): array
+    {
+        Debugger::log('ReCodEx::refreshToken()', Debugger::DEBUG);
+        $body = $this->post('login/refresh');
+        if (!is_array($body) || empty($body['accessToken']) || empty($body['user'])) {
+            throw new RecodexApiException("Unexpected ReCodEx API response from token refresh endpoint.");
+        }
+
+        // wrap the user into a structure
+        $body['user'] = new RecodexUser($body['user'], $this);
+        return $body;
+    }
+
     /**
      * Retrieve user data.
      * @param string $id

app/presenters/LoginPresenter.php

@@ -4,14 +4,17 @@
 
 use App\Exceptions\ForbiddenRequestException;
 use App\Exceptions\InvalidAccessTokenException;
+use App\Exceptions\NotFoundException;
 use App\Exceptions\WrongCredentialsException;
+use App\Model\Entity\User;
 use App\Model\Repository\Users;
 use App\Helpers\RecodexApiHelper;
 use App\Helpers\RecodexUser;
 use App\Security\AccessManager;
 use App\Security\Roles;
 use App\Security\TokenScope;
 use Nette\Security\AuthenticationException;
+use Exception;
 
 /**
  * Endpoints used to log a user in
@@ -42,6 +45,34 @@ class LoginPresenter extends BasePresenter
      */
     public $roles;
 
+    /**
+     * Split the ReCodEx API token (save it to DB and suffix to the newly generated token),
+     * generate a new token for our frontend and send the response.
+     * @param User $user The user to log in
+     * @param string $token The token from ReCodEx API to split and save
+     */
+    private function finalizeLogin(User $user, string $token): void
+    {
+        // part of the token is stored in the database, suffix goes into our token (payload)
+        $tokenSuffix = $user->setRecodexToken($token);
+        $user->updatedNow();
+        $this->users->persist($user);
+
+        // generate our token for our frontend
+        $token = $this->accessManager->issueToken(
+            $user,
+            null, // no effective role override
+            [TokenScope::MASTER, TokenScope::REFRESH],
+            null, // default expiration
+            ['suffix' => $tokenSuffix]
+        );
+
+        $this->sendSuccessResponse([
+            "accessToken" => $token,
+            "user" => $user,
+        ]);
+    }
+
     /**
      * Log in using temp token from ReCodEx.
      * @POST
@@ -70,25 +101,8 @@ public function actionDefault()
         } else {
             $recodexUser->updateUser($user);
         }
-        $user->updatedNow();
-
-        // part of the token is stored in the database, suffix goes into our token (payload)
-        $tokenSuffix = $user->setRecodexToken($recodexResponse['accessToken']);
-        $this->users->persist($user);
-
-        // generate our token for our frontend
-        $token = $this->accessManager->issueToken(
-            $user,
-            null, // no effective role override
-            [TokenScope::MASTER, TokenScope::REFRESH],
-            null, // default expiration
-            ['suffix' => $tokenSuffix]
-        );
 
-        $this->sendSuccessResponse([
-            "accessToken" => $token,
-            "user" => $user,
-        ]);
+        $this->finalizeLogin($user, $recodexResponse['accessToken']);
     }
 
     /**
@@ -104,23 +118,24 @@ public function checkRefresh()
     }
 
     /**
-     * Refresh the access token of current user
+     * Refresh the access token of current user (as well as the ReCodEx API token).
      * @GET
      * @LoggedIn
+     * @throws AuthenticationException
      * @throws ForbiddenRequestException
+     * @throws NotFoundException
+     * @throws InvalidAccessTokenException
      */
     public function actionRefresh()
     {
-        $token = $this->getAccessToken();
+        $recodexResponse = $this->recodexApi->refreshToken();
+        /** @var RecodexUser */
+        $recodexUser = $recodexResponse['user'];
 
-        $user = $this->getCurrentUser();
-        $this->users->flush();
+        // Update the user entity with new info from ReCodEx.
+        $user = $this->users->findOrThrow($recodexUser->getId());
+        $recodexUser->updateUser($user);
 
-        $this->sendSuccessResponse(
-            [
-                "accessToken" => $this->accessManager->issueRefreshedToken($token),
-                "user" => $user,
-            ]
-        );
+        $this->finalizeLogin($user, $recodexResponse['accessToken']);
     }
 }

app/security/AccessManager.php

@@ -108,9 +108,9 @@ public function getUser(AccessToken $token): User
      */
     public function issueToken(
         User $user,
-        string $effectiveRole = null,
+        ?string $effectiveRole = null,
         array $scopes = [],
-        int $exp = null,
+        ?int $exp = null,
         array $payload = []
     ) {
         if ($exp === null) {
@@ -155,7 +155,7 @@ public static function getGivenAccessToken(IRequest $request)
     {
         $accessToken = $request->getQuery("access_token");
         if ($accessToken !== null && Strings::length($accessToken) > 0) {
-            return $accessToken; // the token specified in the URL is prefered
+            return $accessToken; // the token specified in the URL is preferred
         }
 
         // if the token is not in the URL, try to find the "Authorization" header with the bearer token