hubert/SimpleNotes
1
0
Fork 0
Code Projects Releases Activity

Test refresh tokens and don't refresh them if user doesn't exist anymore

Browse Source
This commit is contained in:
Hubert Van De Walle 2020-06-15 17:10:06 +02:00
parent 7c364c7295
commit 305772fb20
2 changed files with 68 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
api/src/routing/AuthController.kt
View File

@ -51,6 +51,9 @@ fun Routing.auth(kodein: Kodein) {
return@post call.respondStatus(HttpStatusCode.Unauthorized) return@post call.respondStatus(HttpStatusCode.Unauthorized)
} }
if (!userService.userExists(id))
return@post call.respondStatus(HttpStatusCode.Unauthorized)
val response = DualToken( val response = DualToken(
token = authSimpleJwt.sign(id), token = authSimpleJwt.sign(id),
refreshToken = refreshSimpleJwt.sign(id) refreshToken = refreshSimpleJwt.sign(id)

65
api/test/integration/routing/AuthControllerKtTest.kt
View File

@ -2,9 +2,12 @@ package integration.routing
import be.vandewalleh.auth.SimpleJWT import be.vandewalleh.auth.SimpleJWT
import be.vandewalleh.entities.User import be.vandewalleh.entities.User
import be.vandewalleh.features.Config
import be.vandewalleh.mainModule import be.vandewalleh.mainModule
import be.vandewalleh.module import be.vandewalleh.module
import be.vandewalleh.services.UserService import be.vandewalleh.services.UserService
import com.auth0.jwt.JWT
import com.auth0.jwt.algorithms.Algorithm
import io.ktor.http.* import io.ktor.http.*
import io.ktor.server.testing.* import io.ktor.server.testing.*
import io.mockk.every import io.mockk.every
@ -18,6 +21,7 @@ import org.kodein.di.generic.bind
import org.kodein.di.generic.instance import org.kodein.di.generic.instance
import org.mindrot.jbcrypt.BCrypt import org.mindrot.jbcrypt.BCrypt
import utils.* import utils.*
import java.util.*
@TestInstance(TestInstance.Lifecycle.PER_CLASS) @TestInstance(TestInstance.Lifecycle.PER_CLASS)
class AuthControllerKtTest { class AuthControllerKtTest {
@ -43,6 +47,8 @@ class AuthControllerKtTest {
every { userService.getFromUsername("wrong") } returns user2 every { userService.getFromUsername("wrong") } returns user2
every { userService.getFromUsername("notExisting") } returns null every { userService.getFromUsername("notExisting") } returns null
every { userService.userExists(3) } returns false
} }
@ -126,5 +132,64 @@ class AuthControllerKtTest {
} }
@Nested
inner class Refresh {
@Test
fun `test valid refresh token`() {
val refreshJwt by kodein.instance<SimpleJWT>(tag = "refresh")
val refreshToken = refreshJwt.sign(1)
val res = testEngine.post("/user/refresh_token") {
json {
it["refreshToken"] = refreshToken
}
}
val jsonObject = JSONObject(res.content)
jsonObject.keyList() `should be equal to` listOf("token", "refreshToken")
verify { userService.userExists(1) }
res.status() `should be equal to` HttpStatusCode.OK
}
@Test
fun `test valid refresh token for deleted user`() {
val refreshJwt by kodein.instance<SimpleJWT>(tag = "refresh")
val refreshToken = refreshJwt.sign(3)
val res = testEngine.post("/user/refresh_token") {
json {
it["refreshToken"] = refreshToken
}
}
verify { userService.userExists(3) }
res.status() `should be equal to` HttpStatusCode.Unauthorized
res.content `should strictly be equal to json` """{msg: "Unauthorized"}"""
}
@Test
fun `test expired refresh token for existing user`() {
val config by kodein.instance<Config>()
val algorithm = Algorithm.HMAC256(config.jwt.refresh.secret.value)
val expiredToken = JWT.create()
.withClaim("id", 1)
.withExpiresAt(Date(0)) // January 1, 1970, 00:00:00 GMT
.sign(algorithm)
val res = testEngine.post("/user/refresh_token") {
json {
it["refreshToken"] = expiredToken
}
}
res.status() `should be equal to` HttpStatusCode.Unauthorized
res.content `should strictly be equal to json` """{msg: "Unauthorized"}"""
}
}
} }