Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: deactivate refresh tokens of deactivated or locked users
  • Loading branch information
livio-a committed Jan 10, 2023
1 parent dcec312 commit fc892c5
Show file tree
Hide file tree
Showing 4 changed files with 106 additions and 6 deletions.
2 changes: 1 addition & 1 deletion internal/command/user.go
Expand Up @@ -261,7 +261,7 @@ func (c *Commands) addUserToken(ctx context.Context, userWriteModel *UserWriteMo
if err != nil {
return nil, nil, err
}
if !isUserStateExists(userWriteModel.UserState) {
if userWriteModel.UserState != domain.UserStateActive {
return nil, nil, errors.ThrowNotFound(nil, "COMMAND-1d6Gg", "Errors.User.NotFound")
}

Expand Down
9 changes: 8 additions & 1 deletion internal/command/user_human_refresh_token_model.go
Expand Up @@ -18,6 +18,7 @@ type HumanRefreshTokenWriteModel struct {
UserState domain.UserState
IdleExpiration time.Time
Expiration time.Time
UserAgentID string
}

func NewHumanRefreshTokenWriteModel(userID, resourceOwner, tokenID string) *HumanRefreshTokenWriteModel {
Expand Down Expand Up @@ -48,6 +49,8 @@ func (wm *HumanRefreshTokenWriteModel) AppendEvents(events ...eventstore.Event)
continue
}
wm.WriteModel.AppendEvents(e)
default:
wm.WriteModel.AppendEvents(e)
}
}
}
Expand All @@ -61,14 +64,18 @@ func (wm *HumanRefreshTokenWriteModel) Reduce() error {
wm.IdleExpiration = e.CreationDate().Add(e.IdleExpiration)
wm.Expiration = e.CreationDate().Add(e.Expiration)
wm.UserState = domain.UserStateActive
wm.UserAgentID = e.UserAgentID
case *user.HumanRefreshTokenRenewedEvent:
if wm.UserState == domain.UserStateActive {
wm.RefreshToken = e.RefreshToken
}
wm.RefreshToken = e.RefreshToken
wm.IdleExpiration = e.CreationDate().Add(e.IdleExpiration)
case *user.HumanSignedOutEvent:
if wm.UserAgentID == e.UserAgentID {
wm.UserState = domain.UserStateDeleted
}
case *user.HumanRefreshTokenRemovedEvent,
*user.HumanSignedOutEvent,
*user.UserLockedEvent,
*user.UserDeactivatedEvent,
*user.UserRemovedEvent:
Expand Down
91 changes: 89 additions & 2 deletions internal/command/user_human_refresh_token_test.go
Expand Up @@ -64,10 +64,16 @@ func TestCommands_AddAccessAndRefreshToken(t *testing.T) {
},
},
{
name: "add refresh token, user inactive, error",
name: "add refresh token, user deactivated, error",
fields: fields{
eventstore: eventstoreExpect(t,
expectFilter(),
expectFilter(
eventFromEventPusher(
user.NewUserDeactivatedEvent(context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
),
),
),
),
idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "refreshTokenID1"),
},
Expand Down Expand Up @@ -912,6 +918,87 @@ func TestCommands_renewRefreshToken(t *testing.T) {
err: caos_errs.IsErrorInvalidArgument,
},
},
{
name: "user deactivated, error",
fields: fields{
eventstore: eventstoreExpect(t,
expectFilter(
eventFromEventPusherWithCreationDateNow(user.NewHumanRefreshTokenAddedEvent(
context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"tokenID",
"applicationID",
"userAgentID",
"de",
[]string{"clientID1"},
[]string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess},
[]string{"password"},
time.Now(),
1*time.Hour,
24*time.Hour,
)),
eventFromEventPusher(
user.NewUserDeactivatedEvent(
context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
),
),
),
),
keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)),
},
args: args{
ctx: context.Background(),
userID: "userID",
orgID: "orgID",
refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID:tokenID:tokenID")),
idleExpiration: 1 * time.Hour,
},
res: res{
err: caos_errs.IsErrorInvalidArgument,
},
},
{
name: "user signedout, error",
fields: fields{
eventstore: eventstoreExpect(t,
expectFilter(
eventFromEventPusherWithCreationDateNow(user.NewHumanRefreshTokenAddedEvent(
context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"tokenID",
"applicationID",
"userAgentID",
"de",
[]string{"clientID1"},
[]string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess},
[]string{"password"},
time.Now(),
1*time.Hour,
24*time.Hour,
)),
eventFromEventPusher(
user.NewHumanSignedOutEvent(
context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"userAgentID",
),
),
),
),
keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)),
},
args: args{
ctx: context.Background(),
userID: "userID",
orgID: "orgID",
refreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID:tokenID:tokenID")),
idleExpiration: 1 * time.Hour,
},
res: res{
err: caos_errs.IsErrorInvalidArgument,
},
},
{
name: "token renewed, ok",
fields: fields{
Expand Down
10 changes: 8 additions & 2 deletions internal/repository/user/human.go
Expand Up @@ -396,7 +396,13 @@ func NewHumanSignedOutEvent(
}

func HumanSignedOutEventMapper(event *repository.Event) (eventstore.Event, error) {
return &HumanSignedOutEvent{
signedOut := &HumanSignedOutEvent{
BaseEvent: *eventstore.BaseEventFromRepo(event),
}, nil
}
err := json.Unmarshal(event.Data, signedOut)
if err != nil {
return nil, errors.ThrowInternal(err, "USER-WFS3g", "unable to unmarshal human signed out")
}

return signedOut, nil
}

0 comments on commit fc892c5

Please sign in to comment.