Return response instead of exception if the refresh token is invalid during security checks

elpete · elpete · commit 10a26fcd7242 · 2021-11-30T11:15:40.000-07:00
diff --git a/models/jwt/JwtService.cfc b/models/jwt/JwtService.cfc
@@ -895,41 +895,60 @@ component accessors="true" singleton threadsafe {
 		};
 
 		try {
-			// Try to get the payload from the jwt token, if we have exceptions, we have failed :(
-			// This takes care of authenticating the jwt tokens for us.
-			// getPayload() => parseToken() => authenticateToken()
-			var payload = getPayload();
-		}
-		// Access Token Has Expired
-		catch ( TokenExpiredException e ) {
-			// Do we have autoRefreshValidator turned on and we have an incoming refresh token?
-			if ( variables.settings.jwt.enableAutoRefreshValidator && len( discoverRefreshToken() ) ) {
-				autoRefreshTokens();
-			} else {
-				// Error out as normal
-				results.messages = e.type & ":" & e.message;
-				return results;
+			try {
+				// Try to get the payload from the jwt token, if we have exceptions, we have failed :(
+				// This takes care of authenticating the jwt tokens for us.
+				// getPayload() => parseToken() => authenticateToken()
+				var payload = getPayload();
 			}
-		} catch ( TokenInvalidException e ) {
-			// Do we have autoRefreshValidator turned on and we have an incoming refresh token?
-			if ( variables.settings.jwt.enableAutoRefreshValidator && len( discoverRefreshToken() ) ) {
-				autoRefreshTokens();
-			} else {
-				// Error out as normal
-				results.messages = e.type & ":" & e.message;
-				return results;
+			// Access Token Has Expired
+			catch ( TokenExpiredException e ) {
+				// Do we have autoRefreshValidator turned on and we have an incoming refresh token?
+				if (
+					variables.settings.jwt.enableAutoRefreshValidator && len(
+						discoverRefreshToken()
+					)
+				) {
+					autoRefreshTokens();
+				} else {
+					// Error out as normal
+					results.messages = e.type & ":" & e.message;
+					return results;
+				}
+			} catch ( TokenInvalidException e ) {
+				// Do we have autoRefreshValidator turned on and we have an incoming refresh token?
+				if (
+					variables.settings.jwt.enableAutoRefreshValidator && len(
+						discoverRefreshToken()
+					)
+				) {
+					autoRefreshTokens();
+				} else {
+					// Error out as normal
+					results.messages = e.type & ":" & e.message;
+					return results;
+				}
+			} catch ( TokenNotFoundException e ) {
+				// Do we have autoRefreshValidator turned on and we have an incoming refresh token?
+				if (
+					variables.settings.jwt.enableAutoRefreshValidator && len(
+						discoverRefreshToken()
+					)
+				) {
+					autoRefreshTokens();
+				} else {
+					// Error out as normal
+					results.messages = e.type & ":" & e.message;
+					return results;
+				}
 			}
-		} catch ( TokenNotFoundException e ) {
-			// Do we have autoRefreshValidator turned on and we have an incoming refresh token?
-			if ( variables.settings.jwt.enableAutoRefreshValidator && len( discoverRefreshToken() ) ) {
-				autoRefreshTokens();
-			} else {
-				// Error out as normal
+			// All other exceptions
+			catch ( Any e ) {
 				results.messages = e.type & ":" & e.message;
 				return results;
 			}
 		}
-		// All other exceptions
+		// All exceptions for refreshTokens
 		catch ( Any e ) {
 			results.messages = e.type & ":" & e.message;
 			return results;
diff --git a/test-harness/tests/specs/integration/JWTSpec.cfc b/test-harness/tests/specs/integration/JWTSpec.cfc
@@ -95,6 +95,18 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 							expect( results.allow ).toBeTrue();
 						} );
 					} );
+					given( "Auto refresh is on and an expired access token is sent with an expired refresh token", function(){
+						then( "the validation should fail", function(){
+							getRequestContext().setValue( "x-auth-token", variables.expired_token );
+							getRequestContext().setValue(
+								"x-refresh-token",
+								variables.expired_token
+							);
+
+							var results = variables.jwtService.validateSecurity( "" );
+							expect( results.allow ).toBeFalse();
+						} );
+					} );
 				} );
 
 				story( "I can refresh tokens via the /refreshtoken endpoint", function(){
