Skip to content

Commit

Permalink
refresh token correct scopes
Browse files Browse the repository at this point in the history
  • Loading branch information
hummerdmag committed Aug 16, 2024
1 parent 84eea0d commit 94c2bad
Show file tree
Hide file tree
Showing 2 changed files with 84 additions and 5 deletions.
22 changes: 17 additions & 5 deletions web/api/refresh_token.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,14 @@ package api
import (
"encoding/json"
"net/http"
"strings"

l "github.com/madappgang/identifo/v2/localization"
"github.com/madappgang/identifo/v2/model"
"github.com/madappgang/identifo/v2/web/middleware"
)

// RefreshTokens issues new access and, if requsted, refresh token for provided refresh token.
// RefreshTokens issues new access and, if requested, refresh token for provided refresh token.
// After new tokens are issued, the old refresh token gets invalidated (via blacklisting).
func (ar *Router) RefreshTokens() http.HandlerFunc {
type requestData struct {
Expand All @@ -22,6 +23,8 @@ func (ar *Router) RefreshTokens() http.HandlerFunc {
}

return func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()

locale := r.Header.Get("Accept-Language")

rd := requestData{}
Expand All @@ -30,14 +33,14 @@ func (ar *Router) RefreshTokens() http.HandlerFunc {
rd = requestData{Scopes: []string{}}
}

app := middleware.AppFromContext(r.Context())
app := middleware.AppFromContext(ctx)
if len(app.ID) == 0 {
ar.Error(w, locale, http.StatusBadRequest, l.ErrorAPIAPPNoAPPInContext)
return
}

// Get refresh token from context.
oldRefreshToken := tokenFromContext(r.Context())
oldRefreshToken := tokenFromContext(ctx)

if err := oldRefreshToken.Validate(); err != nil {
ar.Error(w, locale, http.StatusUnauthorized, l.ErrorTokenInvalidError, err)
Expand Down Expand Up @@ -84,12 +87,19 @@ func (ar *Router) RefreshTokens() http.HandlerFunc {
RefreshToken: newRefreshTokenString,
}

resultScopes := strings.Split(accessToken.Scopes(), " ")
journal(oldRefreshToken.Subject(), app.ID, "refresh_token", resultScopes)

ar.ServeJSON(w, locale, http.StatusOK, result)
}
}

func (ar *Router) issueNewRefreshToken(oldRefreshTokenString string, scopes []string, app model.AppData) (string, error) {
if !contains(scopes, model.OfflineScope) { // Don't issue new refresh token if not requested.
func (ar *Router) issueNewRefreshToken(
oldRefreshTokenString string,
requestedScopes []string,
app model.AppData,
) (string, error) {
if !contains(requestedScopes, model.OfflineScope) { // Don't issue new refresh token if not requested.
return "", nil
}

Expand All @@ -103,6 +113,8 @@ func (ar *Router) issueNewRefreshToken(oldRefreshTokenString string, scopes []st
return "", err
}

scopes := model.AllowedScopes(requestedScopes, user.Scopes, app.Offline)

refreshToken, err := ar.server.Services().Token.NewRefreshToken(user, scopes, app)
if err != nil {
return "", err
Expand Down
67 changes: 67 additions & 0 deletions web/api/refresh_token_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
package api_test

import (
"context"
"net/http"
"net/http/httptest"
"strings"
"testing"

"github.com/madappgang/identifo/v2/model"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)

func TestRefreshTokens(t *testing.T) {
ctx := testContext(testApp)

reqBody := `{"scopes":["offline", "chat", "super_admin"]}`

user := model.User{
ID: "test_user",
Scopes: []string{"chat"},
Active: true,
Email: "[email protected]",
AccessRole: "user",
}

user, err := testServer.Storages().User.AddUserWithPassword(user, "qwerty", "user", false)
require.NoError(t, err)

tokenService := testServer.Services().Token

refreshToken, err := tokenService.NewRefreshToken(
user,
[]string{"offline", "chat", "super_admin"},
testApp)
require.NoError(t, err)

rts, err := tokenService.String(refreshToken)
require.NoError(t, err)

refreshToken, err = tokenService.Parse(rts)
require.NoError(t, err)

ctx = context.WithValue(ctx, model.TokenContextKey, refreshToken)
ctx = context.WithValue(ctx, model.TokenRawContextKey, []byte(rts))

req := httptest.NewRequest(http.MethodPost, "/auth/token", strings.NewReader(reqBody))
req = req.WithContext(ctx)

rw := httptest.NewRecorder()

h := testRouter.RefreshTokens()
h(rw, req)

require.Equal(t, http.StatusOK, rw.Code, rw.Body.String())

c := claimsFromResponse(t, rw.Body.Bytes())
assert.Equal(t, user.ID, c["sub"])
assert.Equal(t, "test_app", c["aud"])
assert.Equal(t, "chat offline", c["scopes"])

c = refreshClaimsFromResponse(t, rw.Body.Bytes())
assert.Equal(t, user.ID, c["sub"])
assert.Equal(t, "test_app", c["aud"])
assert.Equal(t, "chat offline", c["scopes"])
}

0 comments on commit 94c2bad

Please sign in to comment.