Address PR Feedback

marcusdacoregio · marcusdacoregio · commit 74dcab30fba6 · 2024-08-14T17:10:52.000-03:00
- Add final to implementations
- Remove OneTimeTokenAuthenticationFilter and use AuthenticationFilter directly
- Align method names in OneTimeToken
- Create OneTimeTokenAuthenticationRequestSuccessHandler for a better control of the strategy used when a successful ott authentication request is made, defaults to RedirectOneTimeTokenAuthenticationRequestSuccessHandler
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java b/config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java
@@ -32,7 +32,6 @@
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
-import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationFilter;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java
@@ -27,9 +27,9 @@
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
+import org.springframework.security.web.authentication.AuthenticationFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
-import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationFilter;
 import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationRequestFilter;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
@@ -99,7 +99,6 @@ final class FilterOrderRegistration {
 		this.filterToOrder.put(
 				"org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter",
 				order.next());
-		put(OneTimeTokenAuthenticationFilter.class, order.next());
 		put(UsernamePasswordAuthenticationFilter.class, order.next());
 		order.next(); // gh-8105
 		put(DefaultLoginPageGeneratingFilter.class, order.next());
@@ -111,6 +110,7 @@ final class FilterOrderRegistration {
 				"org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter",
 				order.next());
 		put(BasicAuthenticationFilter.class, order.next());
+		put(AuthenticationFilter.class, order.next());
 		put(RequestCacheAwareFilter.class, order.next());
 		put(SecurityContextHolderAwareRequestFilter.class, order.next());
 		put(JaasApiIntegrationFilter.class, order.next());
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java
@@ -40,14 +40,18 @@
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.security.web.authentication.AuthenticationFilter;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationConverter;
-import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationFilter;
 import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationRequestFilter;
+import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationRequestSuccessHandler;
+import org.springframework.security.web.authentication.ott.RedirectOneTimeTokenAuthenticationRequestSuccessHandler;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.web.authentication.ui.DefaultOneTimeTokenSubmitPageGeneratingFilter;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
@@ -79,7 +83,8 @@ public final class OneTimeTokenLoginConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private String authenticationRequestUrl = "/ott/authenticate";
 
-	private String authenticationRequestRedirectUrl = "/login/ott";
+	private OneTimeTokenAuthenticationRequestSuccessHandler authenticationRequestSuccessHandler = new RedirectOneTimeTokenAuthenticationRequestSuccessHandler(
+			"/login/ott");
 
 	private AuthenticationProvider authenticationProvider;
 
@@ -118,18 +123,27 @@ public void configure(H http) {
 
 	private void configureOttAuthenticationFilter(H http) {
 		AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
-		OneTimeTokenAuthenticationFilter oneTimeTokenAuthenticationFilter = new OneTimeTokenAuthenticationFilter(
-				authenticationManager, this.authenticationConverter);
+		AuthenticationFilter oneTimeTokenAuthenticationFilter = new AuthenticationFilter(authenticationManager,
+				this.authenticationConverter);
+		oneTimeTokenAuthenticationFilter.setSecurityContextRepository(getSecurityContextRepository(http));
 		oneTimeTokenAuthenticationFilter.setRequestMatcher(antMatcher(HttpMethod.POST, this.loginProcessingUrl));
 		oneTimeTokenAuthenticationFilter.setFailureHandler(getAuthenticationFailureHandler());
 		oneTimeTokenAuthenticationFilter.setSuccessHandler(this.authenticationSuccessHandler);
 		http.addFilter(postProcess(oneTimeTokenAuthenticationFilter));
 	}
 
+	private SecurityContextRepository getSecurityContextRepository(H http) {
+		SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
+		if (securityContextRepository != null) {
+			return securityContextRepository;
+		}
+		return new HttpSessionSecurityContextRepository();
+	}
+
 	private void configureOttAuthenticationRequestFilter(H http) {
 		OneTimeTokenAuthenticationRequestFilter authenticationRequestFilter = new OneTimeTokenAuthenticationRequestFilter(
 				getOneTimeTokenService(http), getOneTimeTokenSender(http));
-		authenticationRequestFilter.setRedirectUrl(this.authenticationRequestRedirectUrl);
+		authenticationRequestFilter.setAuthenticationRequestSuccessHandler(this.authenticationRequestSuccessHandler);
 		authenticationRequestFilter.setRequestMatcher(antMatcher(HttpMethod.POST, this.authenticationRequestUrl));
 		http.addFilter(postProcess(authenticationRequestFilter));
 	}
@@ -177,15 +191,15 @@ public OneTimeTokenLoginConfigurer<H> authenticationRequestUrl(String authentica
 	}
 
 	/**
-	 * Specifies the URL that the user-agent will be redirected after a successful
-	 * One-Time Token authentication. Defaults to {@code POST /login/ott}. If you are
-	 * using the default submit page make sure that you also configure
-	 * {@link #submitPageUrl(String)} to this same URL.
-	 * @param authenticationRequestRedirectUrl
+	 * Specifies strategy to be used for successful one-time token authentication
+	 * requests. By default, a redirect will be performed to {@code POST /login/ott} using
+	 * the {@link RedirectOneTimeTokenAuthenticationRequestSuccessHandler}.
+	 * @param authenticationRequestSuccessHandler
 	 */
-	public OneTimeTokenLoginConfigurer<H> authenticationRequestRedirectUrl(String authenticationRequestRedirectUrl) {
-		Assert.hasText(authenticationRequestRedirectUrl, "authenticationRequestRedirectUrl cannot be null or empty");
-		this.authenticationRequestRedirectUrl = authenticationRequestRedirectUrl;
+	public OneTimeTokenLoginConfigurer<H> authenticationRequestSuccessHandler(
+			OneTimeTokenAuthenticationRequestSuccessHandler authenticationRequestSuccessHandler) {
+		Assert.notNull(authenticationRequestSuccessHandler, "authenticationRequestSuccessHandler cannot be null");
+		this.authenticationRequestSuccessHandler = authenticationRequestSuccessHandler;
 		return this;
 	}
 
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurerTests.java
@@ -34,6 +34,8 @@
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.ott.RedirectOneTimeTokenAuthenticationRequestSuccessHandler;
 import org.springframework.test.web.servlet.MockMvc;
 
 import static org.assertj.core.api.Assertions.assertThatException;
@@ -58,7 +60,7 @@ void oneTimeTokenWhenCorrectTokenThenCanAuthenticate() throws Exception {
 		this.mvc.perform(post("/ott/authenticate").param("username", "user").with(csrf()))
 			.andExpectAll(status().isFound(), redirectedUrl("/login/ott"));
 
-		String token = TestOneTimeTokenSender.lastToken.getToken();
+		String token = TestOneTimeTokenSender.lastToken.getTokenValue();
 
 		this.mvc.perform(post("/login/ott").param("token", token).with(csrf()))
 			.andExpectAll(status().isFound(), redirectedUrl("/"), authenticated());
@@ -68,12 +70,12 @@ void oneTimeTokenWhenCorrectTokenThenCanAuthenticate() throws Exception {
 	void oneTimeTokenWhenDifferentAuthenticationUrlsThenCanAuthenticate() throws Exception {
 		this.spring.register(OneTimeTokenDifferentAuthenticationUrlsConfig.class).autowire();
 		this.mvc.perform(post("/authenticationrequesturl").param("username", "user").with(csrf()))
-			.andExpectAll(status().isFound(), redirectedUrl("/login/ott"));
+			.andExpectAll(status().isFound(), redirectedUrl("/redirected"));
 
-		String token = TestOneTimeTokenSender.lastToken.getToken();
+		String token = TestOneTimeTokenSender.lastToken.getTokenValue();
 
 		this.mvc.perform(post("/loginprocessingurl").param("token", token).with(csrf()))
-			.andExpectAll(status().isFound(), redirectedUrl("/"), authenticated());
+			.andExpectAll(status().isFound(), redirectedUrl("/authenticated"), authenticated());
 	}
 
 	@Test
@@ -82,7 +84,7 @@ void oneTimeTokenWhenCorrectTokenUsedTwiceThenSecondTimeFails() throws Exception
 		this.mvc.perform(post("/ott/authenticate").param("username", "user").with(csrf()))
 			.andExpectAll(status().isFound(), redirectedUrl("/login/ott"));
 
-		String token = TestOneTimeTokenSender.lastToken.getToken();
+		String token = TestOneTimeTokenSender.lastToken.getTokenValue();
 
 		this.mvc.perform(post("/login/ott").param("token", token).with(csrf()))
 			.andExpectAll(status().isFound(), redirectedUrl("/"), authenticated());
@@ -169,7 +171,9 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 					)
 					.oneTimeTokenLogin((ott) -> ott
 							.authenticationRequestUrl("/authenticationrequesturl")
+							.authenticationRequestSuccessHandler(new RedirectOneTimeTokenAuthenticationRequestSuccessHandler("/redirected"))
 							.loginProcessingUrl("/loginprocessingurl")
+							.authenticationSuccessHandler(new SimpleUrlAuthenticationSuccessHandler("/authenticated"))
 					);
 			// @formatter:on
 			return http.build();
diff --git a/core/src/main/java/org/springframework/security/authentication/ott/DefaultOneTimeToken.java b/core/src/main/java/org/springframework/security/authentication/ott/DefaultOneTimeToken.java
@@ -44,7 +44,7 @@ public DefaultOneTimeToken(String token, String username, Instant expireAt) {
 	}
 
 	@Override
-	public String getToken() {
+	public String getTokenValue() {
 		return this.token;
 	}
 
@@ -53,7 +53,7 @@ public String getUsername() {
 		return this.username;
 	}
 
-	public Instant getExpireAt() {
+	public Instant getExpiresAt() {
 		return this.expireAt;
 	}
 
diff --git a/core/src/main/java/org/springframework/security/authentication/ott/InMemoryOneTimeTokenService.java b/core/src/main/java/org/springframework/security/authentication/ott/InMemoryOneTimeTokenService.java
@@ -34,7 +34,7 @@
  * @author Marcus da Coregio
  * @since 6.4
  */
-public class InMemoryOneTimeTokenService implements OneTimeTokenService {
+public final class InMemoryOneTimeTokenService implements OneTimeTokenService {
 
 	private final Map<String, OneTimeToken> oneTimeTokenByToken = new ConcurrentHashMap<>();
 
@@ -72,7 +72,7 @@ private void cleanExpiredTokensIfNeeded() {
 	}
 
 	private boolean isExpired(OneTimeToken ott) {
-		return this.clock.instant().isAfter(ott.getExpireAt());
+		return this.clock.instant().isAfter(ott.getExpiresAt());
 	}
 
 	void setClock(Clock clock) {
diff --git a/core/src/main/java/org/springframework/security/authentication/ott/OneTimeToken.java b/core/src/main/java/org/springframework/security/authentication/ott/OneTimeToken.java
@@ -27,9 +27,9 @@
 public interface OneTimeToken {
 
 	/**
-	 * @return the one-time token, never {@code null}
+	 * @return the one-time token value, never {@code null}
 	 */
-	String getToken();
+	String getTokenValue();
 
 	/**
 	 * @return the username associated with this token, never {@code null}
@@ -39,6 +39,6 @@ public interface OneTimeToken {
 	/**
 	 * @return the expiration time of the token
 	 */
-	Instant getExpireAt();
+	Instant getExpiresAt();
 
 }
diff --git a/core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java
@@ -31,7 +31,7 @@
  * @author Marcus da Coregio
  * @since 6.4
  */
-public class OneTimeTokenAuthenticationProvider implements AuthenticationProvider {
+public final class OneTimeTokenAuthenticationProvider implements AuthenticationProvider {
 
 	private final OneTimeTokenService oneTimeTokenService;
 
diff --git a/core/src/test/java/org/springframework/security/authentication/ott/InMemoryOneTimeTokenServiceTests.java b/core/src/test/java/org/springframework/security/authentication/ott/InMemoryOneTimeTokenServiceTests.java
@@ -43,7 +43,7 @@ class InMemoryOneTimeTokenServiceTests {
 	void generateThenTokenValueShouldBeValidUuidAndProvidedUsernameIsUsed() {
 		OneTimeTokenAuthenticationRequest request = new OneTimeTokenAuthenticationRequest("user");
 		OneTimeToken oneTimeToken = this.oneTimeTokenService.generate(request);
-		assertThatNoException().isThrownBy(() -> UUID.fromString(oneTimeToken.getToken()));
+		assertThatNoException().isThrownBy(() -> UUID.fromString(oneTimeToken.getTokenValue()));
 		assertThat(request.getUsername()).isEqualTo("user");
 	}
 
@@ -58,18 +58,20 @@ void consumeWhenTokenDoesNotExistsThenNull() {
 	void consumeWhenTokenExistsThenReturnItself() {
 		OneTimeTokenAuthenticationRequest request = new OneTimeTokenAuthenticationRequest("user");
 		OneTimeToken generated = this.oneTimeTokenService.generate(request);
-		OneTimeTokenAuthenticationToken authenticationToken = new OneTimeTokenAuthenticationToken(generated.getToken());
+		OneTimeTokenAuthenticationToken authenticationToken = new OneTimeTokenAuthenticationToken(
+				generated.getTokenValue());
 		OneTimeToken consumed = this.oneTimeTokenService.consume(authenticationToken);
-		assertThat(consumed.getToken()).isEqualTo(generated.getToken());
+		assertThat(consumed.getTokenValue()).isEqualTo(generated.getTokenValue());
 		assertThat(consumed.getUsername()).isEqualTo(generated.getUsername());
-		assertThat(consumed.getExpireAt()).isEqualTo(generated.getExpireAt());
+		assertThat(consumed.getExpiresAt()).isEqualTo(generated.getExpiresAt());
 	}
 
 	@Test
 	void consumeWhenTokenIsExpiredThenReturnNull() {
 		OneTimeTokenAuthenticationRequest request = new OneTimeTokenAuthenticationRequest("user");
 		OneTimeToken generated = this.oneTimeTokenService.generate(request);
-		OneTimeTokenAuthenticationToken authenticationToken = new OneTimeTokenAuthenticationToken(generated.getToken());
+		OneTimeTokenAuthenticationToken authenticationToken = new OneTimeTokenAuthenticationToken(
+				generated.getTokenValue());
 		Clock tenMinutesFromNow = Clock.fixed(Instant.now().plus(10, ChronoUnit.MINUTES), ZoneOffset.UTC);
 		this.oneTimeTokenService.setClock(tenMinutesFromNow);
 		OneTimeToken consumed = this.oneTimeTokenService.consume(authenticationToken);
@@ -88,12 +90,12 @@ void generateWhenMoreThan100TokensThenClearExpired() {
 
 		assertThat(toExpire)
 			.extracting(
-					(token) -> this.oneTimeTokenService.consume(new OneTimeTokenAuthenticationToken(token.getToken())))
+					(token) -> this.oneTimeTokenService.consume(new OneTimeTokenAuthenticationToken(token.getTokenValue())))
 			.containsOnlyNulls();
 
 		assertThat(toKeep)
 			.extracting(
-					(token) -> this.oneTimeTokenService.consume(new OneTimeTokenAuthenticationToken(token.getToken())))
+					(token) -> this.oneTimeTokenService.consume(new OneTimeTokenAuthenticationToken(token.getTokenValue())))
 			.noneMatch(Objects::isNull);
 		// @formatter:on
 	}
diff --git a/docs/modules/ROOT/pages/servlet/authentication/onetimetoken.adoc b/docs/modules/ROOT/pages/servlet/authentication/onetimetoken.adoc
@@ -28,7 +28,7 @@ In summary, One-Time Tokens (OTT) provide a way to authenticate users without ad
 
 The One-Time Token Login works in two major steps.
 
-1. User request a token by submitting their user identifier, usually the username, and the token is delivered to them, via e-mail, SMS, Magic Link, etc.
+1. User requests a token by submitting their user identifier, usually the username, and the token is delivered to them, often as a Magic Link, via e-mail, SMS, etc.
 2. User submits the token to the application and, if valid, the user gets logged in.
 
 [[default-pages]]
diff --git a/web/src/main/java/org/springframework/security/web/authentication/ott/OneTimeTokenAuthenticationRequestFilter.java b/web/src/main/java/org/springframework/security/web/authentication/ott/OneTimeTokenAuthenticationRequestFilter.java
@@ -23,17 +23,17 @@
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 
+import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.ott.OneTimeToken;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationRequest;
 import org.springframework.security.authentication.ott.OneTimeTokenSender;
 import org.springframework.security.authentication.ott.OneTimeTokenService;
-import org.springframework.security.web.DefaultRedirectStrategy;
-import org.springframework.security.web.RedirectStrategy;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.OncePerRequestFilter;
 
+import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;
+
 /**
  * Filter that process a One-Time Token authentication request. By default, the filter
  * listen to {@code POST} requests to {@code /ott/authenticate}. The
@@ -44,19 +44,18 @@
  * @since 6.4
  * @see OneTimeTokenService
  */
-public class OneTimeTokenAuthenticationRequestFilter extends OncePerRequestFilter {
+public final class OneTimeTokenAuthenticationRequestFilter extends OncePerRequestFilter {
 
 	private final OneTimeTokenService oneTimeTokenService;
 
 	private final OneTimeTokenSender oneTimeTokenSender;
 
-	private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
-
-	private RequestMatcher requestMatcher = new AntPathRequestMatcher("/ott/authenticate", "POST");
+	private RequestMatcher requestMatcher = antMatcher(HttpMethod.POST, "/ott/authenticate");
 
 	private OneTimeTokenAuthenticationRequestResolver authenticationRequestResolver = new RequestParameterOneTimeTokenAuthenticationRequestResolver();
 
-	private String redirectUrl = "/login/ott";
+	private OneTimeTokenAuthenticationRequestSuccessHandler authenticationRequestSuccessHandler = new RedirectOneTimeTokenAuthenticationRequestSuccessHandler(
+			"/login/ott");
 
 	public OneTimeTokenAuthenticationRequestFilter(OneTimeTokenService oneTimeTokenService,
 			OneTimeTokenSender oneTimeTokenSender) {
@@ -80,9 +79,13 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 		}
 		OneTimeToken ott = this.oneTimeTokenService.generate(authenticationRequest);
 		this.oneTimeTokenSender.send(ott);
-		this.redirectStrategy.sendRedirect(request, response, this.redirectUrl);
+		this.authenticationRequestSuccessHandler.handle(request, response, ott);
 	}
 
+	/**
+	 * Use the given {@link RequestMatcher} to match the request.
+	 * @param requestMatcher
+	 */
 	public void setRequestMatcher(RequestMatcher requestMatcher) {
 		Assert.notNull(requestMatcher, "requestMatcher cannot be null");
 		this.requestMatcher = requestMatcher;
@@ -100,19 +103,14 @@ public void setAuthenticationRequestResolver(
 	}
 
 	/**
-	 * Sets the {@link RedirectStrategy} to use
-	 * @param redirectStrategy
-	 */
-	public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
-		this.redirectStrategy = redirectStrategy;
-	}
-
-	/**
-	 * The redirect url to be passed to the {@link RedirectStrategy}
-	 * @param redirectUrl
+	 * Specifies {@link OneTimeTokenAuthenticationRequestSuccessHandler} to be used for
+	 * successful authentication requests
+	 * @param authenticationRequestSuccessHandler
 	 */
-	public void setRedirectUrl(String redirectUrl) {
-		this.redirectUrl = redirectUrl;
+	public void setAuthenticationRequestSuccessHandler(
+			OneTimeTokenAuthenticationRequestSuccessHandler authenticationRequestSuccessHandler) {
+		Assert.notNull(authenticationRequestSuccessHandler, "authenticationRequestSuccessHandler cannot be null");
+		this.authenticationRequestSuccessHandler = authenticationRequestSuccessHandler;
 	}
 
 }
diff --git a/web/src/main/java/org/springframework/security/web/authentication/ott/OneTimeTokenAuthenticationRequestResolver.java b/web/src/main/java/org/springframework/security/web/authentication/ott/OneTimeTokenAuthenticationRequestResolver.java
@@ -28,6 +28,7 @@
  * @author Marcus da Coregio
  * @since 6.4
  */
+@FunctionalInterface
 public interface OneTimeTokenAuthenticationRequestResolver {
 
 	/**
diff --git a/web/src/main/java/org/springframework/security/web/authentication/ott/OneTimeTokenAuthenticationRequestSuccessHandler.java b/web/src/main/java/org/springframework/security/web/authentication/ott/OneTimeTokenAuthenticationRequestSuccessHandler.java
diff --git a/web/src/main/java/org/springframework/security/web/authentication/ott/RedirectOneTimeTokenAuthenticationRequestSuccessHandler.java b/web/src/main/java/org/springframework/security/web/authentication/ott/RedirectOneTimeTokenAuthenticationRequestSuccessHandler.java
diff --git a/web/src/test/java/org/springframework/security/web/authentication/ott/RedirectOneTimeTokenAuthenticationRequestSuccessHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/ott/RedirectOneTimeTokenAuthenticationRequestSuccessHandlerTests.java

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ public DefaultOneTimeToken(String token, String username, Instant expireAt) {`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`@Override`
`47`		`- public String getToken() {`
	`47`	`+ public String getTokenValue() {`
`48`	`48`	`return this.token;`
`49`	`49`	`}`
`50`	`50`
`@@ -53,7 +53,7 @@ public String getUsername() {`
`53`	`53`	`return this.username;`
`54`	`54`	`}`
`55`	`55`
`56`		`- public Instant getExpireAt() {`
	`56`	`+ public Instant getExpiresAt() {`
`57`	`57`	`return this.expireAt;`
`58`	`58`	`}`
`59`	`59`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@`
`34`	`34`	`* @author Marcus da Coregio`
`35`	`35`	`* @since 6.4`
`36`	`36`	`*/`
`37`		`-public class InMemoryOneTimeTokenService implements OneTimeTokenService {`
	`37`	`+public final class InMemoryOneTimeTokenService implements OneTimeTokenService {`
`38`	`38`
`39`	`39`	`private final Map<String, OneTimeToken> oneTimeTokenByToken = new ConcurrentHashMap<>();`
`40`	`40`
`@@ -72,7 +72,7 @@ private void cleanExpiredTokensIfNeeded() {`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`private boolean isExpired(OneTimeToken ott) {`
`75`		`- return this.clock.instant().isAfter(ott.getExpireAt());`
	`75`	`+ return this.clock.instant().isAfter(ott.getExpiresAt());`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`void setClock(Clock clock) {`