Merge branches 'development' and 'development' of github.com:ColdBox/cbox-security into development

Author: lmajano

changelog.md

@@ -9,12 +9,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [2.15.0] => 2021-DEC-10
 
-### 🚀 Added
+### :rocket: Added
 
 * Pass custom claims from `refreshToken( token, customClaims)` method when refreshing tokens
 * Pass in the current jwt payload in to `getJWTCustomClaims( payload )`
 
-### 🐛 Fixed
+### :bug: Fixed
 
 * Timeout in token storage is now the token timeout
 

models/jwt/JwtService.cfc

@@ -894,17 +894,29 @@ component accessors="true" singleton threadsafe {
 			"messages" : ""
 		};
 
+		var payload = {};
+
 		try {
-			// Try to get the payload from the jwt token, if we have exceptions, we have failed :(
-			// This takes care of authenticating the jwt tokens for us.
-			// getPayload() => parseToken() => authenticateToken()
-			var payload = getPayload();
-		}
-		// Access Token Has Expired
-		catch ( TokenExpiredException e ) {
-			// Do we have autoRefreshValidator turned on and we have an incoming refresh token?
-			var refreshToken = discoverRefreshToken();
-			if ( variables.settings.jwt.enableAutoRefreshValidator && len( refreshToken ) ) {
+			try {
+				// Try to get the payload from the jwt token, if we have exceptions, we have failed :(
+				// This takes care of authenticating the jwt tokens for us.
+				// getPayload() => parseToken() => authenticateToken()
+				payload = getPayload();
+			} catch ( any e ) {
+				// if we aren't trying to refresh, return the false response now.
+				var refreshToken = discoverRefreshToken();
+				if (
+					!variables.settings.jwt.enableAutoRefreshValidator ||
+					!len( refreshToken ) ||
+					!listFindNoCase(
+						"TokenExpiredException,TokenInvalidException,TokenNotFoundException",
+						e.type
+					)
+				) {
+					results.messages = e.type & ":" & e.message;
+					return results;
+				}
+
 				// Try to Refresh the tokens
 				var newTokens = this.refreshToken( refreshToken );
 				// Setup payload + authenticate for current request
@@ -920,13 +932,9 @@ component accessors="true" singleton threadsafe {
 						name : variables.settings.jwt.customRefreshHeader,
 						value: newTokens.refresh_token
 					);
-			} else {
-				// Error out as normal
-				results.messages = e.type & ":" & e.message;
-				return results;
 			}
 		}
-		// All other exceptions
+		// All exceptions for refreshTokens
 		catch ( Any e ) {
 			results.messages = e.type & ":" & e.message;
 			return results;

test-harness/tests/specs/integration/JWTSpec.cfc

@@ -64,6 +64,17 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 							expect( results.messages ).toInclude( "TokenNotFoundException" );
 						} );
 					} );
+					given( "Auto refresh is on and no access token is sent but a refresh token is sent", function(){
+						then( "the validation should pass and we should return our two new tokens as headers", function(){
+							var oUser  = variables.userService.retrieveUserByUsername( "test" );
+							var tokens = variables.jwtService.fromUser( oUser );
+
+							getRequestContext().setValue( "x-refresh-token", tokens.refresh_token );
+
+							var results = variables.jwtService.validateSecurity( "" );
+							expect( results.allow ).toBeTrue();
+						} );
+					} );
 					given( "Auto refresh is on and an expired access token is sent but no refresh token is sent", function(){
 						then( "the validation should fail", function(){
 							getRequestContext().setValue( "x-auth-token", variables.expired_token );
@@ -84,6 +95,18 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 							expect( results.allow ).toBeTrue();
 						} );
 					} );
+					given( "Auto refresh is on and an expired access token is sent with an expired refresh token", function(){
+						then( "the validation should fail", function(){
+							getRequestContext().setValue( "x-auth-token", variables.expired_token );
+							getRequestContext().setValue(
+								"x-refresh-token",
+								variables.expired_token
+							);
+
+							var results = variables.jwtService.validateSecurity( "" );
+							expect( results.allow ).toBeFalse();
+						} );
+					} );
 				} );
 
 				story( "I can refresh tokens via the /refreshtoken endpoint", function(){