Adds OneTimeTokenSettings

Provided to OneTimeTokenService constructors to customize expire
time when generating OneTimeToken

Author: R4N

core/src/main/java/org/springframework/security/authentication/ott/InMemoryOneTimeTokenService.java

@@ -36,6 +36,26 @@
  */
 public final class InMemoryOneTimeTokenService implements OneTimeTokenService {
 
+	private final OneTimeTokenSettings oneTimeTokenSettings;
+
+	public InMemoryOneTimeTokenService() {
+		this(null);
+	}
+
+	/**
+	 * Constructs a {@code InMemoryOneTimeTokenService} using the provided parameters.
+	 * @param oneTimeTokenSettings the {@link OneTimeTokenSettings} to use when generating
+	 * OneTimeTokens
+	 * @since 6.4.2
+	 * @see OneTimeTokenSettings
+	 */
+	public InMemoryOneTimeTokenService(OneTimeTokenSettings oneTimeTokenSettings) {
+		if (oneTimeTokenSettings == null) {
+			oneTimeTokenSettings = OneTimeTokenSettings.withDefaults().build();
+		}
+		this.oneTimeTokenSettings = oneTimeTokenSettings;
+	}
+
 	private final Map<String, OneTimeToken> oneTimeTokenByToken = new ConcurrentHashMap<>();
 
 	private Clock clock = Clock.systemUTC();
@@ -44,8 +64,8 @@ public final class InMemoryOneTimeTokenService implements OneTimeTokenService {
 	@NonNull
 	public OneTimeToken generate(GenerateOneTimeTokenRequest request) {
 		String token = UUID.randomUUID().toString();
-		Instant fiveMinutesFromNow = this.clock.instant().plusSeconds(300);
-		OneTimeToken ott = new DefaultOneTimeToken(token, request.getUsername(), fiveMinutesFromNow);
+		Instant expireTime = this.clock.instant().plus(this.oneTimeTokenSettings.getTimeToLive());
+		OneTimeToken ott = new DefaultOneTimeToken(token, request.getUsername(), expireTime);
 		this.oneTimeTokenByToken.put(token, ott);
 		cleanExpiredTokensIfNeeded();
 		return ott;

core/src/main/java/org/springframework/security/authentication/ott/JdbcOneTimeTokenService.java

@@ -21,7 +21,6 @@
 import java.sql.Timestamp;
 import java.sql.Types;
 import java.time.Clock;
-import java.time.Duration;
 import java.time.Instant;
 import java.util.ArrayList;
 import java.util.List;
@@ -63,6 +62,8 @@ public final class JdbcOneTimeTokenService implements OneTimeTokenService, Dispo
 
 	private final JdbcOperations jdbcOperations;
 
+	private final OneTimeTokenSettings oneTimeTokenSettings;
+
 	private Function<OneTimeToken, List<SqlParameterValue>> oneTimeTokenParametersMapper = new OneTimeTokenParametersMapper();
 
 	private RowMapper<OneTimeToken> oneTimeTokenRowMapper = new OneTimeTokenRowMapper();
@@ -107,9 +108,25 @@ public final class JdbcOneTimeTokenService implements OneTimeTokenService, Dispo
 	 * @param jdbcOperations the JDBC operations
 	 */
 	public JdbcOneTimeTokenService(JdbcOperations jdbcOperations) {
+		this(jdbcOperations, null);
+	}
+
+	/**
+	 * Constructs a {@code JdbcOneTimeTokenService} using the provided parameters.
+	 * @param jdbcOperations the JDBC operations
+	 * @param oneTimeTokenSettings the {@link OneTimeTokenSettings} to use when generating
+	 * OneTimeTokens
+	 * @since 6.4.2
+	 * @see OneTimeTokenSettings
+	 */
+	public JdbcOneTimeTokenService(JdbcOperations jdbcOperations, OneTimeTokenSettings oneTimeTokenSettings) {
 		Assert.notNull(jdbcOperations, "jdbcOperations cannot be null");
 		this.jdbcOperations = jdbcOperations;
 		this.taskScheduler = createTaskScheduler(DEFAULT_CLEANUP_CRON);
+		if (oneTimeTokenSettings == null) {
+			oneTimeTokenSettings = OneTimeTokenSettings.withDefaults().build();
+		}
+		this.oneTimeTokenSettings = oneTimeTokenSettings;
 	}
 
 	/**
@@ -132,8 +149,8 @@ public void setCleanupCron(String cleanupCron) {
 	public OneTimeToken generate(GenerateOneTimeTokenRequest request) {
 		Assert.notNull(request, "generateOneTimeTokenRequest cannot be null");
 		String token = UUID.randomUUID().toString();
-		Instant fiveMinutesFromNow = this.clock.instant().plus(Duration.ofMinutes(5));
-		OneTimeToken oneTimeToken = new DefaultOneTimeToken(token, request.getUsername(), fiveMinutesFromNow);
+		Instant expireTime = this.clock.instant().plus(this.oneTimeTokenSettings.getTimeToLive());
+		OneTimeToken oneTimeToken = new DefaultOneTimeToken(token, request.getUsername(), expireTime);
 		insertOneTimeToken(oneTimeToken);
 		return oneTimeToken;
 	}

core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenSettings.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authentication.ott;
+
+import java.time.Duration;
+
+/**
+ * A facility for {@link OneTimeToken} configuration settings.
+ *
+ * @author Micah Moore (Zetetic LLC)
+ * @since 6.4.2
+ */
+public final class OneTimeTokenSettings {
+
+	private static final Duration DEFAULT_TIME_TO_LIVE = Duration.ofMinutes(5L);
+
+	private final Duration timeToLive;
+
+	private OneTimeTokenSettings(Duration timeToLive) {
+		this.timeToLive = timeToLive;
+	}
+
+	public Duration getTimeToLive() {
+		return this.timeToLive;
+	}
+
+	public static Builder withDefaults() {
+		return new Builder(DEFAULT_TIME_TO_LIVE);
+	}
+
+	public static final class Builder {
+
+		private Duration timeToLive;
+
+		Builder(Duration timeToLive) {
+			this.timeToLive = timeToLive;
+		}
+
+		public Builder timeToLive(Duration timeToLive) {
+			this.timeToLive = timeToLive;
+			return this;
+		}
+
+		public OneTimeTokenSettings build() {
+			return new OneTimeTokenSettings(this.timeToLive);
+		}
+
+	}
+
+}

core/src/test/java/org/springframework/security/authentication/ott/InMemoryOneTimeTokenServiceTests.java

@@ -17,6 +17,7 @@
 package org.springframework.security.authentication.ott;
 
 import java.time.Clock;
+import java.time.Duration;
 import java.time.Instant;
 import java.time.ZoneOffset;
 import java.time.temporal.ChronoUnit;
@@ -37,9 +38,12 @@
  * @author Marcus da Coregio
  */
 class InMemoryOneTimeTokenServiceTests {
+	static final Duration CUSTOM_EXPIRE_DURATION = Duration.ofMinutes(30L);
 
 	InMemoryOneTimeTokenService oneTimeTokenService = new InMemoryOneTimeTokenService();
 
+	InMemoryOneTimeTokenService oneTimeTokenServiceWithTokenSettings = new InMemoryOneTimeTokenService(
+			OneTimeTokenSettings.withDefaults().timeToLive(CUSTOM_EXPIRE_DURATION).build());
 	@Test
 	void generateThenTokenValueShouldBeValidUuidAndProvidedUsernameIsUsed() {
 		GenerateOneTimeTokenRequest request = new GenerateOneTimeTokenRequest("user");
@@ -110,6 +114,41 @@ void setClockWhenNullThenThrowIllegalArgumentException() {
 		// @formatter:on
 	}
 
+	@Test
+	void generateOneTimeTokenWithCustomExpireTimeThenTokenShouldHaveCustomExpiration() {
+		GenerateOneTimeTokenRequest request = new GenerateOneTimeTokenRequest("user");
+		OneTimeToken generated = this.oneTimeTokenServiceWithTokenSettings.generate(request);
+		Instant twentyNineMinutesFromNow = Instant.now().plus(29, ChronoUnit.MINUTES);
+		Instant thirtyOneMinutesFromNow = Instant.now().plus(31, ChronoUnit.MINUTES);
+		assertThat(generated.getExpiresAt()).isBetween(twentyNineMinutesFromNow, thirtyOneMinutesFromNow);
+	}
+
+	@Test
+	void consumeWhenTokenWithCustomExpireTimeIsValidThenReturnToken() {
+		GenerateOneTimeTokenRequest request = new GenerateOneTimeTokenRequest("user");
+		OneTimeToken generated = this.oneTimeTokenServiceWithTokenSettings.generate(request);
+		OneTimeTokenAuthenticationToken authenticationToken = new OneTimeTokenAuthenticationToken(
+				generated.getTokenValue());
+		Clock fifteenMinutesFromNow = Clock.fixed(Instant.now().plus(15, ChronoUnit.MINUTES), ZoneOffset.UTC);
+		this.oneTimeTokenServiceWithTokenSettings.setClock(fifteenMinutesFromNow);
+		OneTimeToken consumed = this.oneTimeTokenServiceWithTokenSettings.consume(authenticationToken);
+		assertThat(consumed.getTokenValue()).isEqualTo(generated.getTokenValue());
+		assertThat(consumed.getUsername()).isEqualTo(generated.getUsername());
+		assertThat(consumed.getExpiresAt()).isEqualTo(generated.getExpiresAt());
+	}
+
+	@Test
+	void consumeWhenTokenWithCustomExpireTimeIsExpiredThenReturnNull() {
+		GenerateOneTimeTokenRequest request = new GenerateOneTimeTokenRequest("user");
+		OneTimeToken generated = this.oneTimeTokenServiceWithTokenSettings.generate(request);
+		OneTimeTokenAuthenticationToken authenticationToken = new OneTimeTokenAuthenticationToken(
+				generated.getTokenValue());
+		Clock thirtyOneMinutesFromNow = Clock.fixed(Instant.now().plus(31, ChronoUnit.MINUTES), ZoneOffset.UTC);
+		this.oneTimeTokenServiceWithTokenSettings.setClock(thirtyOneMinutesFromNow);
+		OneTimeToken consumed = this.oneTimeTokenService.consume(authenticationToken);
+		assertThat(consumed).isNull();
+	}
+
 	private List<OneTimeToken> generate(int howMany) {
 		List<OneTimeToken> generated = new ArrayList<>(howMany);
 		for (int i = 0; i < howMany; i++) {

core/src/test/java/org/springframework/security/authentication/ott/JdbcOneTimeTokenServiceTests.java

@@ -50,23 +50,30 @@ class JdbcOneTimeTokenServiceTests {
 
 	private static final String ONE_TIME_TOKEN_SQL_RESOURCE = "org/springframework/security/core/ott/jdbc/one-time-tokens-schema.sql";
 
+	static final Duration CUSTOM_EXPIRE_DURATION = Duration.ofMinutes(30L);
+
 	private EmbeddedDatabase db;
 
 	private JdbcOperations jdbcOperations;
 
 	private JdbcOneTimeTokenService oneTimeTokenService;
 
+	private JdbcOneTimeTokenService oneTimeTokenServiceWithTokenSettings;
+
 	@BeforeEach
 	void setUp() {
 		this.db = createDb();
 		this.jdbcOperations = new JdbcTemplate(this.db);
 		this.oneTimeTokenService = new JdbcOneTimeTokenService(this.jdbcOperations);
+		this.oneTimeTokenServiceWithTokenSettings = new JdbcOneTimeTokenService(this.jdbcOperations,
+				OneTimeTokenSettings.withDefaults().timeToLive(CUSTOM_EXPIRE_DURATION).build());
 	}
 
 	@AfterEach
 	void tearDown() throws Exception {
 		this.db.shutdown();
 		this.oneTimeTokenService.destroy();
+		this.oneTimeTokenServiceWithTokenSettings.destroy();
 	}
 
 	private static EmbeddedDatabase createDb() {
@@ -188,4 +195,38 @@ void setCleanupChronWhenAlreadyNullThenNoException() {
 		this.oneTimeTokenService.setCleanupCron(null);
 	}
 
+	@Test
+	void generateOneTimeTokenWithCustomExpireTimeThenTokenShouldHaveCustomExpiration() {
+		GenerateOneTimeTokenRequest request = new GenerateOneTimeTokenRequest(USERNAME);
+		OneTimeToken generated = this.oneTimeTokenServiceWithTokenSettings.generate(request);
+		Instant twentyNineMinutesFromNow = Instant.now().plus(29, ChronoUnit.MINUTES);
+		Instant thirtyOneMinutesFromNow = Instant.now().plus(31, ChronoUnit.MINUTES);
+		assertThat(generated.getExpiresAt()).isBetween(twentyNineMinutesFromNow, thirtyOneMinutesFromNow);
+	}
+
+	@Test
+	void consumeWhenTokenWithCustomExpireTimeIsValidThenReturnToken() {
+		GenerateOneTimeTokenRequest request = new GenerateOneTimeTokenRequest(USERNAME);
+		OneTimeToken generated = this.oneTimeTokenServiceWithTokenSettings.generate(request);
+		OneTimeTokenAuthenticationToken authenticationToken = new OneTimeTokenAuthenticationToken(
+				generated.getTokenValue());
+		Clock fifteenMinutesFromNow = Clock.fixed(Instant.now().plus(15, ChronoUnit.MINUTES), ZoneOffset.UTC);
+		this.oneTimeTokenServiceWithTokenSettings.setClock(fifteenMinutesFromNow);
+		OneTimeToken consumed = this.oneTimeTokenServiceWithTokenSettings.consume(authenticationToken);
+		assertThat(consumed.getTokenValue()).isEqualTo(generated.getTokenValue());
+		assertThat(consumed.getUsername()).isEqualTo(generated.getUsername());
+		assertThat(consumed.getExpiresAt()).isEqualTo(generated.getExpiresAt());
+	}
+
+	@Test
+	void consumeWhenTokenWithCustomExpireTimeIsExpiredThenReturnNull() {
+		GenerateOneTimeTokenRequest request = new GenerateOneTimeTokenRequest(USERNAME);
+		OneTimeToken generated = this.oneTimeTokenServiceWithTokenSettings.generate(request);
+		OneTimeTokenAuthenticationToken authenticationToken = new OneTimeTokenAuthenticationToken(
+				generated.getTokenValue());
+		Clock thirtyOneMinutesFromNow = Clock.fixed(Instant.now().plus(31, ChronoUnit.MINUTES), ZoneOffset.UTC);
+		this.oneTimeTokenServiceWithTokenSettings.setClock(thirtyOneMinutesFromNow);
+		OneTimeToken consumed = this.oneTimeTokenServiceWithTokenSettings.consume(authenticationToken);
+		assertThat(consumed).isNull();
+	}
 }