Skip to content

Conversation

@franticticktick
Copy link
Contributor

Closes gh-15735

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 24, 2024
@franticticktick franticticktick force-pushed the gh-15735 branch 4 times, most recently from f3917b6 to 300b965 Compare September 24, 2024 15:06
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR @CrazyParanoid!

I've provided feedback inline.


private final JdbcOperations jdbcOperations;

private Function<OneTimeToken, List<SqlParameterValue>> oneTimeTokenParametersMapper = new OneTimeTokenParametersMapper();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless we have a need for it, let's not make this a pluggable strategy or expose it publicly. We can always do it in another iteration.


private Function<OneTimeToken, List<SqlParameterValue>> oneTimeTokenParametersMapper = new OneTimeTokenParametersMapper();

private RowMapper<OneTimeToken> oneTimeTokenRowMapper = new OneTimeTokenRowMapper();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless we have a need for it, let's not make this a pluggable strategy or expose it publicly. We can always do it in another iteration.

* @author Max Batischev
* @since 6.4
*/
public final class OneTimeTokenUtils {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's keep this package scope, alternatively it might be worth just having some duplicated logic in the Repository instances at least for now. It isn't a lot and we can always extract it out later. It also will allow us to avoid a static Clock (see my comment on the clock.


public static long DEFAULT_ONE_TIME_TOKEN_TIME_TO_LIVE = 300;

private static Clock clock = Clock.systemUTC();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't view it as ideal to have a static Clock for a few reasons.

It makes it easier to have errors when setting it.

  1. For example, the tests right now only set this before a test is ran. However, some tests override the value. All future tests that use the Clock must also set it. Alternatively, we could also set after the tests run
  2. The tests that are setting the value must know what to set the Clock to. Any changes to the Clock would likely need to be made in all of the tests.

Ensuring we are using an instance variable (perhaps on the Repository itself) would avoid all of this. It would also allow us to potentially expose the Clock on the Repository to be set in the future.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you are right. Not the best solution. I will return the logic for generating and checking the token from the InMemoryOneTimeTokenService, I will need to think about how to extract it in the next iterations.

* @author Max Batischev
* @since 6.4
*/
public final class JdbcOneTimeTokenService implements OneTimeTokenService {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a token is never consumed, then it is never deleted even after it expires. We probably need a way to ensure that expired tokens are cleaned up. Likely this would need to be done using something like a TaskScheduler. For an example of what it might look like, you can refer to JdbcIndexedSessionRepository in Spring Session.

@@ -0,0 +1,6 @@
create table one_time_tokens
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please name this one-time-tokens-schema.sql to align with the current conventions in Spring Security?

@franticticktick
Copy link
Contributor Author

franticticktick commented Sep 28, 2024

Hi @rwinch! All your comments have been resolved.

@rwinch rwinch self-assigned this Oct 1, 2024
@rwinch rwinch merged commit 50cc36d into spring-projects:main Oct 2, 2024
6 checks passed
@rwinch
Copy link
Member

rwinch commented Oct 2, 2024

Thanks for the Pull Request! This is now merged into main via 1dd79c3 😄

I added a few commits to clean things up a bit. You can see a list of the commits in #15735 or by viewing the commits merged in 1dd79c3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

status: waiting-for-triage An issue we've not yet triaged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support One-Time Tokens in a Clustered Environment

3 participants