Skip to content

Commit

Permalink
fix: invalid refresh token should return 400
Browse files Browse the repository at this point in the history 
400 with payload {error: invalid_grant, ....}

Close: #235
  • Loading branch information
@sdelamo
sdelamo committed May 14, 2020
1 parent a8eaaac commit dcb34b9
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 10 deletions.
16 changes: 6 additions & 10 deletions security-jwt/src/main/java/io/micronaut/security/token/jwt/endpoints/OauthController.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
package io.micronaut.security.token.jwt.endpoints;

import io.micronaut.context.annotation.Requires;
import io.micronaut.core.async.publisher.Publishers;
import io.micronaut.core.util.StringUtils;
import io.micronaut.http.HttpResponse;
import io.micronaut.http.MediaType;
Expand All @@ -25,7 +24,6 @@
import io.micronaut.http.annotation.Error;
import io.micronaut.http.annotation.Post;
import io.micronaut.security.annotation.Secured;
import io.micronaut.security.authentication.UserDetails;
import io.micronaut.security.errors.IssuingAnAccessTokenErrorCode;
import io.micronaut.security.errors.OauthErrorResponseException;
import io.micronaut.security.rules.SecurityRule;
Expand All @@ -35,7 +33,6 @@
import io.micronaut.security.token.validator.RefreshTokenValidator;
import io.micronaut.validation.Validated;
import io.reactivex.Single;
import org.reactivestreams.Publisher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand Down Expand Up @@ -87,13 +84,12 @@ public Single<HttpResponse<AccessRefreshToken>> index(@Valid TokenRefreshRequest
if (LOG.isDebugEnabled()) {
LOG.debug("grantType: {} refreshToken: {}", tokenRefreshRequest.getGrantType(), tokenRefreshRequest.getRefreshToken());
}

Publisher<UserDetails> userDetailsPublisher = refreshTokenValidator.validate(tokenRefreshRequest.getRefreshToken())
.map(refreshTokenPersistence::getUserDetails)
.orElseGet(Publishers::empty);

return Single.fromPublisher(userDetailsPublisher)
.map(userDetails -> {
Optional<String> validRefreshToken = refreshTokenValidator.validate(tokenRefreshRequest.getRefreshToken());
if (!validRefreshToken.isPresent()) {
throw new OauthErrorResponseException(IssuingAnAccessTokenErrorCode.INVALID_GRANT, "Refresh token is invalid", null);
}
return Single.fromPublisher(refreshTokenPersistence.getUserDetails(validRefreshToken.get()))
.map(userDetails -> {
Optional<AccessRefreshToken> accessRefreshToken = accessRefreshTokenGenerator.generate(tokenRefreshRequest.getRefreshToken(), userDetails);
if (accessRefreshToken.isPresent()) {
return HttpResponse.ok(accessRefreshToken.get());
Expand Down
32 changes: 32 additions & 0 deletions ...-jwt/src/test/groovy/io/micronaut/security/token/jwt/endpoints/OauthControllerSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,38 @@ class OauthControllerSpec extends Specification {
originalAccessTokenClaims.get(JwtClaims.ISSUED_AT) != newAccessTokenClaims.get(JwtClaims.ISSUED_AT)
originalAccessTokenClaims.get(JwtClaims.EXPIRATION_TIME) != newAccessTokenClaims.get(JwtClaims.EXPIRATION_TIME)
originalAccessTokenClaims.get(JwtClaims.NOT_BEFORE) != newAccessTokenClaims.get(JwtClaims.NOT_BEFORE)

cleanup:
context.getBean(InMemoryRefreshTokenPersistence).tokens.clear()
}

void "trying to get a new access token with an unsigned refresh token throws exception"() {
given:
String refreshToken = 'XXX'

when:
TokenRefreshRequest tokenRefreshReq = new TokenRefreshRequest(refreshToken)
Argument<AccessRefreshToken> bodyType = Argument.of(AccessRefreshToken)
Argument<CustomErrorResponse> errorType = Argument.of(CustomErrorResponse)
client.toBlocking().exchange(HttpRequest.POST('/oauth/access_token', tokenRefreshReq), bodyType, errorType)

then:
HttpClientResponseException e = thrown()
e.response.status() == HttpStatus.BAD_REQUEST

when:
Optional<CustomErrorResponse> errorResponseOptional = e.response.getBody(CustomErrorResponse)

then:
errorResponseOptional.isPresent()

when:
CustomErrorResponse errorResponse = errorResponseOptional.get()

then:
errorResponse.error
errorResponse.error == 'invalid_grant'
errorResponse.errorDescription == 'Refresh token is invalid'
}

void "grant_type other than refresh_token returns 400 with {\"error\": \"unsupported_grant_type\"...}"() {
Expand Down

0 comments on commit dcb34b9

Please sign in to comment.