From 305772fb2074d8a1b3fca634f24876af8ba73052 Mon Sep 17 00:00:00 2001
From: Hubert Van De Walle <hubv@protonmail.com>
Date: Mon, 15 Jun 2020 17:10:06 +0200
Subject: [PATCH] Test refresh tokens and don't refresh them if user doesn't
 exist anymore

---
 api/src/routing/AuthController.kt             |  3 +
 .../routing/AuthControllerKtTest.kt           | 65 +++++++++++++++++++
 2 files changed, 68 insertions(+)

diff --git a/api/src/routing/AuthController.kt b/api/src/routing/AuthController.kt
index 93d4f26..d9f3810 100644
--- a/api/src/routing/AuthController.kt
+++ b/api/src/routing/AuthController.kt
@@ -51,6 +51,9 @@ fun Routing.auth(kodein: Kodein) {
             return@post call.respondStatus(HttpStatusCode.Unauthorized)
         }
 
+        if (!userService.userExists(id))
+            return@post call.respondStatus(HttpStatusCode.Unauthorized)
+
         val response = DualToken(
             token = authSimpleJwt.sign(id),
             refreshToken = refreshSimpleJwt.sign(id)
diff --git a/api/test/integration/routing/AuthControllerKtTest.kt b/api/test/integration/routing/AuthControllerKtTest.kt
index 3048716..e3e03cd 100644
--- a/api/test/integration/routing/AuthControllerKtTest.kt
+++ b/api/test/integration/routing/AuthControllerKtTest.kt
@@ -2,9 +2,12 @@ package integration.routing
 
 import be.vandewalleh.auth.SimpleJWT
 import be.vandewalleh.entities.User
+import be.vandewalleh.features.Config
 import be.vandewalleh.mainModule
 import be.vandewalleh.module
 import be.vandewalleh.services.UserService
+import com.auth0.jwt.JWT
+import com.auth0.jwt.algorithms.Algorithm
 import io.ktor.http.*
 import io.ktor.server.testing.*
 import io.mockk.every
@@ -18,6 +21,7 @@ import org.kodein.di.generic.bind
 import org.kodein.di.generic.instance
 import org.mindrot.jbcrypt.BCrypt
 import utils.*
+import java.util.*
 
 @TestInstance(TestInstance.Lifecycle.PER_CLASS)
 class AuthControllerKtTest {
@@ -43,6 +47,8 @@ class AuthControllerKtTest {
         every { userService.getFromUsername("wrong") } returns user2
 
         every { userService.getFromUsername("notExisting") } returns null
+
+        every { userService.userExists(3) } returns false
     }
 
 
@@ -126,5 +132,64 @@ class AuthControllerKtTest {
 
     }
 
+    @Nested
+    inner class Refresh {
+
+        @Test
+        fun `test valid refresh token`() {
+            val refreshJwt by kodein.instance<SimpleJWT>(tag = "refresh")
+            val refreshToken = refreshJwt.sign(1)
+
+            val res = testEngine.post("/user/refresh_token") {
+                json {
+                    it["refreshToken"] = refreshToken
+                }
+            }
+
+            val jsonObject = JSONObject(res.content)
+            jsonObject.keyList() `should be equal to` listOf("token", "refreshToken")
+
+            verify { userService.userExists(1) }
+            res.status() `should be equal to` HttpStatusCode.OK
+        }
+
+        @Test
+        fun `test valid refresh token for deleted user`() {
+            val refreshJwt by kodein.instance<SimpleJWT>(tag = "refresh")
+            val refreshToken = refreshJwt.sign(3)
+
+            val res = testEngine.post("/user/refresh_token") {
+                json {
+                    it["refreshToken"] = refreshToken
+                }
+            }
+
+            verify { userService.userExists(3) }
+            res.status() `should be equal to` HttpStatusCode.Unauthorized
+            res.content `should strictly be equal to json` """{msg: "Unauthorized"}"""
+        }
+
+        @Test
+        fun `test expired refresh token for existing user`() {
+            val config by kodein.instance<Config>()
+            val algorithm = Algorithm.HMAC256(config.jwt.refresh.secret.value)
+
+            val expiredToken = JWT.create()
+                .withClaim("id", 1)
+                .withExpiresAt(Date(0)) // January 1, 1970, 00:00:00 GMT
+                .sign(algorithm)
+
+            val res = testEngine.post("/user/refresh_token") {
+                json {
+                    it["refreshToken"] = expiredToken
+                }
+            }
+
+            res.status() `should be equal to` HttpStatusCode.Unauthorized
+            res.content `should strictly be equal to json` """{msg: "Unauthorized"}"""
+        }
+
+    }
+
 
 }