* parseToken( token ) now accepts a token of your choice to work with in the request or it will continue to discover it if not passed.

lmajano · lmajano · commit 40630cecc3c7 · 2020-11-09T16:00:32.000-06:00
* Added new JWT Service method: `invalidateAll()` which invalidates all tokens in the token storage
* Added the new event: `cbSecurity_onJWTInvalidateAllTokens` that fires once all tokens in the storage are cleared
* Added storage of the authenticated user into the `prc` scope when using `attempt()` to be consistent with API calls

### Fixed

* Spelling corrections on the readme
* Added full var scoping for `cbsecurity` in JWTService calls
diff --git a/.markdownlint.json b/.markdownlint.json
@@ -0,0 +1,14 @@
+{
+	"line-length": false,
+	"single-h1": false,
+	"no-hard-tabs" : false,
+	"fenced-code-language" : false,
+	"no-bare-urls" : false,
+	"first-line-h1": false,
+	"no-multiple-blanks": {
+		"maximum": 2
+	},
+	"no-duplicate-header" : {
+		"siblings_only" : true
+	}
+}
diff --git a/ModuleConfig.cfc b/ModuleConfig.cfc
@@ -119,7 +119,8 @@ component {
 				"cbSecurity_onJWTInvalidClaims",
 				"cbSecurity_onJWTExpiration",
 				"cbSecurity_onJWTStorageRejection",
-				"cbSecurity_onJWTValidParsing"
+				"cbSecurity_onJWTValidParsing",
+				"cbSecurity_onJWTInvalidateAllTokens"
 			]
 		};
 
diff --git a/changelog.md b/changelog.md
@@ -7,12 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ----
 
-## [2.8.0] =>
+## [2.8.0] => 2020-NOV-09
 
 ### Added
 
+* `parseToken( token )` now accepts a token of your choice to work with in the request or it will continue to discover it if not passed.
+* Added new JWT Service method: `invalidateAll()` which invalidates all tokens in the token storage
+* Added the new event: `cbSecurity_onJWTInvalidateAllTokens` that fires once all tokens in the storage are cleared
 * Added storage of the authenticated user into the `prc` scope when using `attempt()` to be consistent with API calls
 
+### Fixed
+
+* Spelling corrections on the readme
+* Added full var scoping for `cbsecurity` in JWTService calls
+
 ----
 
 ## [2.7.0] => 2020-SEP-14
diff --git a/models/jwt/JwtService.cfc b/models/jwt/JwtService.cfc
@@ -138,7 +138,7 @@ component accessors="true" singleton {
 	){
 		// Authenticate via the auth service wired up
 		// If it fails an exception is thrown
-		var oUser = cbSecurity
+		var oUser = variables.cbSecurity
 			.getAuthService()
 			.authenticate( arguments.username, arguments.password );
 
@@ -159,14 +159,14 @@ component accessors="true" singleton {
 	 */
 	function logout(){
 		invalidate( this.getToken() );
-		cbSecurity.getAuthService().logout();
+		variables.cbSecurity.getAuthService().logout();
 	}
 
 	/**
 	 * Shortcut function to our authentication services to check if we are logged in
 	 */
 	boolean function isLoggedIn(){
-		return cbSecurity.getAuthService().isLoggedIn();
+		return variables.cbSecurity.getAuthService().isLoggedIn();
 	}
 
 	/**
@@ -313,6 +313,29 @@ component accessors="true" singleton {
 		return results;
 	}
 
+	/**
+	 * Invalidates all tokens in the connected storage provider
+	 *
+	 * @async Run the clearing asynchronously or not, default is false
+	 */
+	JwtService function invalidateAll( boolean async=false ){
+		if ( variables.log.canInfo() ) {
+			variables.log.info( "Token invalidation request issued for all tokens" );
+		}
+
+		// Clear all via storage
+		getTokenStorage().clearAll( arguments.async );
+
+		// Announce the token invalidation
+		variables.interceptorService.processState( "cbSecurity_onJWTInvalidateAllTokens" );
+
+		if ( variables.log.canInfo() ) {
+			variables.log.info( "All tokens cleared via token storage clear all" );
+		}
+
+		return this;
+	}
+
 	/**
 	 * Verifies if the passed in token exists in the storage provider
 	 *
@@ -328,33 +351,34 @@ component accessors="true" singleton {
 
 	/**
 	 * Try's to get a jwt token from the authorization header or the custom header
-	 * defined in the configuration. If it is a valid token and it decodes we will then
-	 * continue to validat the subject it represents.  Once those are satisfied, then it will
+	 * defined in the configuration or passed in by you. If it is a valid token and it decodes we will then
+	 * continue to validate the subject it represents.  Once those are satisfied, then it will
 	 * store it in the `prc` as `prc.jwt_token` and the payload as `prc.jwt_payload`.
 	 *
+	 * @token The token to parse and validate, if not passed we call the discoverToken() method for you.
+	 *
 	 * @throws TokenExpiredException If the token has expired or no longer in the storage (invalidated)
 	 * @throws TokenInvalidException If the token doesn't verify decoding
 	 * @throws TokenNotFoundException If the token cannot be found in the headers
 	 *
 	 * @returns The payload for convenience
 	 */
-	struct function parseToken(){
-		var jwtToken = discoverToken();
+	struct function parseToken( string token = discoverToken() ){
 
 		// Did we find an incoming token
-		if ( !len( jwtToken ) ) {
+		if ( !len( arguments.token ) ) {
 			if ( variables.log.canDebug() ) {
-				variables.log.debug( "Token not found anywhere" );
+				variables.log.debug( "Token empty or not found anywhere (headers, url, form)" );
 			}
 
 			throw(
-				message = "Token not found in authorization header or the custom header or the request collection",
+				message = "Token not found in authorization header or the custom header or the request collection or not passed in",
 				type    = "TokenNotFoundException"
 			);
 		}
 
 		// Decode it
-		var decodedToken  = decode( jwtToken );
+		var decodedToken  = decode( arguments.token );
 		var decodedClaims = decodedToken.keyArray();
 
 		// Verify the required claims
@@ -375,7 +399,7 @@ component accessors="true" singleton {
 				variables.interceptorService.processState(
 					"cbSecurity_onJWTInvalidClaims",
 					{
-						token   : jwtToken,
+						token   : arguments.token,
 						payload : decodedToken
 					}
 				);
@@ -398,7 +422,7 @@ component accessors="true" singleton {
 			variables.interceptorService.processState(
 				"cbSecurity_onJWTExpiration",
 				{
-					token   : jwtToken,
+					token   : arguments.token,
 					payload : decodedToken
 				}
 			);
@@ -416,7 +440,7 @@ component accessors="true" singleton {
 			variables.interceptorService.processState(
 				"cbSecurity_onJWTStorageRejection",
 				{
-					token   : jwtToken,
+					token   : arguments.token,
 					payload : decodedToken
 				}
 			);
@@ -436,22 +460,22 @@ component accessors="true" singleton {
 			);
 		}
 
-		// Store it
+		// Store it on the PRC scope values
 		variables.requestService
 			.getContext()
-			.setPrivateValue( "jwt_token", jwtToken )
+			.setPrivateValue( "jwt_token", arguments.token )
 			.setPrivateValue( "jwt_payload", decodedToken );
 
 		// Announce the valid parsing
 		variables.interceptorService.processState(
 			"cbSecurity_onJWTValidParsing",
 			{
-				token   : jwtToken,
+				token   : arguments.token,
 				payload : decodedToken
 			}
 		);
 
-		// Authenticate the payload
+		// Authenticate the payload, because a token MUST be valid before usage
 		authenticate();
 
 		// Return it
@@ -669,7 +693,12 @@ component accessors="true" singleton {
 	/****************************** PRIVATE ******************************/
 
 	/**
-	 * Try to discover the jwt token from many incoming resources
+	 * Try to discover the jwt token from many incoming resources:
+	 * - The custom auth header: x-auth-token
+	 * - URL/FORM: x-auth-token
+	 * - Authorization Header
+	 *
+	 * @return The discovered token or an empty string
 	 */
 	private string function discoverToken(){
 		var event = variables.requestService.getContext();
diff --git a/test-harness/tests/Application.cfc b/test-harness/tests/Application.cfc
@@ -32,12 +32,15 @@ component {
 
 	// request start
 	public boolean function onRequestStart( String targetPage ){
-		return true;
-	}
 
-	function onRequestEnd(){
-		structDelete( application, "wirebox" );
+		// Cleanup
+		if( !isNull( application.cbController ) ){
+			application.cbController.getLoaderService().processShutdown();
+		}
 		structDelete( application, "cbController" );
+		structDelete( application, "wirebox" );
+
+		return true;
 	}
 
-}
+}
diff --git a/test-harness/tests/specs/integration/JWTSpec.cfc b/test-harness/tests/specs/integration/JWTSpec.cfc
@@ -20,6 +20,8 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 			beforeEach( function(currentSpec){
 				// Setup as a new ColdBox request for this suite, VERY IMPORTANT. ELSE EVERYTHING LOOKS LIKE THE SAME REQUEST.
 				setup();
+				// Get the Service
+				variables.jwtService = getInstance( "jwtService@cbSecurity" );
 			} );
 
 			given( "no jwt token and accessing a secure api call", function(){
@@ -87,11 +89,11 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 				} );
 			} );
 
-			given( "an valid jwt token but it is not in the storage", function(){
+			given( "a valid jwt token but it is not in the storage", function(){
 				then( "it should block with no authorization", function(){
-					var thisToken = getInstance( "jwtService@cbSecurity" ).attempt( "test", "test" );
+					var thisToken = variables.jwtService.attempt( "test", "test" );
 
-					getInstance( "jwtService@cbSecurity" )
+					variables.jwtService
 						.getTokenStorage()
 						.clearAll();
 					getRequestContext().setValue( "x-auth-token", thisToken );
@@ -110,7 +112,7 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 					var thisToken = getInvalidUserToken();
 					getRequestContext().setValue( "x-auth-token", thisToken.token );
 
-					getInstance( "jwtService@cbSecurity" )
+					variables.jwtService
 						.getTokenStorage()
 						.set(
 							key 		= thisToken.payload.jti,
@@ -130,20 +132,34 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 
 			given( "a valid jwt token in all senses", function(){
 				then( "it should allow the call", function(){
-					var thisToken = getInstance( "jwtService@cbSecurity" ).attempt( "test", "test" );
+					var thisToken = variables.jwtService.attempt( "test", "test" );
 					getRequestContext().setValue( "x-auth-token", thisToken );
 
 					var event = execute( route = "/api/secure", renderResults = true );
 					expect( event.getCurrentEvent() ).toBe( "api:secure.index" );
 				} );
 			} );
+
+
+			story( "I want to invalidate all tokens in the storage", function(){
+				given( "a valid jwt token and a invalidate all is issued", function(){
+					then( "the storage should be empty", function(){
+						var thisToken = variables.jwtService.attempt( "test", "test" );
+						expect( variables.jwtService.getTokenStorage().size() ).toBeGT( 0 );
+
+						variables.jwtService.invalidateAll();
+						expect( variables.jwtService.getTokenStorage().size() ).toBe( 0 );
+					} );
+				} );
+			} );
+
 		} );
 	}
 
 	private function getInvalidUserToken(){
 		var timestamp = now();
 		var userId    = 123;
-		var service   = getInstance( "jwtService@cbsecurity" );
+		var service   = variables.jwtService;
 		var payload   = {
 			// Issuing authority
 			"iss"    : service.getSettings().jwt.issuer,

Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,8 @@ component {`
`119`	`119`	`"cbSecurity_onJWTInvalidClaims",`
`120`	`120`	`"cbSecurity_onJWTExpiration",`
`121`	`121`	`"cbSecurity_onJWTStorageRejection",`
`122`		`- "cbSecurity_onJWTValidParsing"`
	`122`	`+ "cbSecurity_onJWTValidParsing",`
	`123`	`+ "cbSecurity_onJWTInvalidateAllTokens"`
`123`	`124`	`]`
`124`	`125`	`};`
`125`	`126`