Fix refresh token requests missing token options

AuthGuard · Dec 24, 2023 · 0326f8d · 0326f8d
1 parent 0065654
commit 0326f8d
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 14 deletions.
diff --git a/jwt/src/main/java/com/nexblocks/authguard/jwt/exchange/RefreshToAccessToken.java b/jwt/src/main/java/com/nexblocks/authguard/jwt/exchange/RefreshToAccessToken.java
@@ -20,6 +20,7 @@
 
 import java.time.Instant;
 import java.util.Objects;
+import java.util.Optional;
 
 @TokenExchange(from = "refresh", to = "accessToken")
 public class RefreshToAccessToken implements Exchange {
@@ -79,9 +80,11 @@ private Either<Exception, AuthResponseBO> generate(final AccountTokenDO accountT
             return Either.left(error);
         }
 
-        if (!validateTokenValues(accountToken, authRequest)) {
+        Optional<String> invalidTokenValues = getInvalidTokenValues(accountToken, authRequest);
+
+        if (invalidTokenValues.isPresent()) {
             ServiceAuthorizationException error =
-                    new ServiceAuthorizationException(ErrorCode.EXPIRED_TOKEN, "Refresh token has expired",
+                    new ServiceAuthorizationException(ErrorCode.INVALID_TOKEN, invalidTokenValues.get(),
                             EntityType.ACCOUNT, accountToken.getAssociatedAccountId());
 
             return Either.left(error);
@@ -94,7 +97,17 @@ private Either<Exception, AuthResponseBO> generateNewTokens(final AccountTokenDO
         long accountId = accountToken.getAssociatedAccountId();
         TokenRestrictionsBO tokenRestrictions = serviceMapper.toBO(accountToken.getTokenRestrictions());
 
-        return getAccount(accountId, accountToken).map(account -> accessTokenProvider.generateToken(account, tokenRestrictions));
+        final TokenOptionsBO options = TokenOptionsBO.builder()
+                .source(accountToken.getSourceAuthType())
+                .userAgent(accountToken.getUserAgent())
+                .sourceIp(accountToken.getSourceIp())
+                .clientId(accountToken.getClientId())
+                .externalSessionId(accountToken.getExternalSessionId())
+                .deviceId(accountToken.getDeviceId())
+                .build();
+
+        return getAccount(accountId, accountToken)
+                .map(account -> accessTokenProvider.generateToken(account, tokenRestrictions, options));
     }
 
     private Either<Exception, AccountBO> getAccount(final long accountId, final AccountTokenDO accountToken) {
@@ -114,32 +127,42 @@ private boolean validateExpirationDateTime(final AccountTokenDO accountToken) {
         return now.isBefore(accountToken.getExpiresAt());
     }
 
-    private boolean validateTokenValues(final AccountTokenDO accountToken, AuthRequest authRequest) {
+    private Optional<String> getInvalidTokenValues(final AccountTokenDO accountToken, AuthRequest authRequest) {
         if (jwtConfig.checkRefreshTokenOption()) {
             if (!Objects.equals(accountToken.getClientId(), authRequest.getClientId())) {
-                return false;
+                LOG.warn("Request received with unexpected client ID. expected={}, request={}",
+                        accountToken.getClientId(), authRequest);
+                return Optional.of("Client ID value mismatch");
             }
 
             if (!Objects.equals(accountToken.getDeviceId(), authRequest.getDeviceId())) {
-                return false;
+                LOG.warn("Request received with unexpected device ID. expected={}, request={}",
+                        accountToken.getDeviceId(), authRequest);
+                return Optional.of("Device ID value mismatch");
             }
 
             if (!Objects.equals(accountToken.getUserAgent(), authRequest.getUserAgent())) {
-                return false;
+                LOG.warn("Request received with unexpected user agent. expected={}, request={}",
+                        accountToken.getUserAgent(), authRequest);
+                return Optional.of("User agent value mismatch");
             }
 
             if (!Objects.equals(accountToken.getExternalSessionId(), authRequest.getExternalSessionId())) {
-                return false;
+                LOG.warn("Request received with unexpected external session ID. expected={}, request={}",
+                        accountToken.getExternalSessionId(), authRequest);
+                return Optional.of("External session ID value mismatch");
             }
         }
 
         if (jwtConfig.checkRefreshTokenRequestIp()) {
             if (!Objects.equals(accountToken.getSourceIp(), authRequest.getSourceIp())) {
-                return false;
+                LOG.warn("Request received with unexpected source IP. expected={}, request={}",
+                        accountToken.getSourceIp(), authRequest);
+                return Optional.of("Source IP value mismatch");
             }
         }
 
-        return true;
+        return Optional.empty();
     }
 
     private void deleteRefreshToken(final AccountTokenDO accountToken) {

diff --git a/rest/src/main/java/com/nexblocks/authguard/rest/routes/AuthRoute.java b/rest/src/main/java/com/nexblocks/authguard/rest/routes/AuthRoute.java
@@ -84,10 +84,16 @@ public void logout(final Context context) {
 
     @Override
     public void refresh(final Context context) {
-        final AuthRequestDTO authenticationRequest = authRequestBodyHandler.getValidated(context);
+        final Optional<AuthRequestDTO> authRequest = getValidRequestOrFail(context);
+
+        if (authRequest.isEmpty()) {
+            return;
+        }
+
         final RequestContextBO requestContext = RequestContextExtractor.extractWithoutIdempotentKey(context);
 
-        final Optional<AuthResponseDTO> tokens = authenticationService.refresh(restMapper.toBO(authenticationRequest), requestContext)
+        final Optional<AuthResponseDTO> tokens =
+                authenticationService.refresh(restMapper.toBO(authRequest.get()), requestContext)
                 .map(restMapper::toDTO);
 
         if (tokens.isPresent()) {

diff --git a/service/src/main/java/com/nexblocks/authguard/service/impl/ExchangeServiceImpl.java b/service/src/main/java/com/nexblocks/authguard/service/impl/ExchangeServiceImpl.java
@@ -60,7 +60,8 @@ public AuthResponseBO exchange(final AuthRequestBO authRequest, final String fro
         final Either<Exception, AuthResponseBO> result = exchange.exchange(authRequest);
 
         if (result.isRight()) {
-            LOG.info("Successful exchange. request={}", authRequest);
+            LOG.info("Successful exchange. from={}, to={}, request={}",
+                    fromTokenType, toTokenType, authRequest);
             final AuthResponseBO tokens = result.get();
 
             exchangeSuccess(authRequest, requestContext, tokens, fromTokenType, toTokenType);
@@ -69,7 +70,8 @@ public AuthResponseBO exchange(final AuthRequestBO authRequest, final String fro
         } else {
             final Exception e = result.getLeft();
 
-            LOG.info("Unsuccessful exchange. request={}, error={}", authRequest, e.getMessage());
+            LOG.info("Unsuccessful exchange. from={}, to={}, request={}, error={}", fromTokenType, toTokenType,
+                    authRequest, e.getMessage());
 
             exchangeFailure(authRequest, requestContext, e, fromTokenType, toTokenType);