71410: Authorization for Downloads of restricted Bitstreams

- Add test that the ePerson session salt isn't updated when requesting a short lived token
DSpace · Jun 25, 2020 · 9f77864 · 9f77864
1 parent 6a88ef5
commit 9f77864
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java b/dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java
@@ -13,6 +13,7 @@
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.startsWith;
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotEquals;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
@@ -779,10 +780,16 @@ public void testPasswordAuthenticationDoesNotWorkWithShibOnly() throws Exception
     @Test
     public void testShortLivedToken() throws Exception {
         String token = getAuthToken(eperson.getEmail(), password);
+
+        // Verify the main session salt doesn't change
+        String salt = eperson.getSessionSalt();
+
         getClient(token).perform(post("/api/authn/shortlivedtokens"))
             .andExpect(jsonPath("$.token", notNullValue()))
             .andExpect(jsonPath("$.type", is("shortlivedtoken")))
             .andExpect(jsonPath("$._links.self.href", Matchers.containsString("/api/authn/shortlivedtokens")));
+
+        assertEquals(salt, eperson.getSessionSalt());
     }
 
     @Test