Test refresh tokens and don't refresh them if user doesn't exist anymore

2020-06-15 17:10:06 +02:00 · 2020-06-15 17:10:06 +02:00 · 305772fb20
commit 305772fb20
parent 7c364c7295
2 changed files with 68 additions and 0 deletions
--- a/api/src/routing/AuthController.kt
+++ b/api/src/routing/AuthController.kt
@ -51,6 +51,9 @@ fun Routing.auth(kodein: Kodein) {
            return@post call.respondStatus(HttpStatusCode.Unauthorized)
        }

+        if (!userService.userExists(id))
+            return@post call.respondStatus(HttpStatusCode.Unauthorized)
+
        val response = DualToken(
            token = authSimpleJwt.sign(id),
            refreshToken = refreshSimpleJwt.sign(id)
--- a/api/test/integration/routing/AuthControllerKtTest.kt
+++ b/api/test/integration/routing/AuthControllerKtTest.kt
@ -2,9 +2,12 @@ package integration.routing

 import be.vandewalleh.auth.SimpleJWT
 import be.vandewalleh.entities.User
+import be.vandewalleh.features.Config
 import be.vandewalleh.mainModule
 import be.vandewalleh.module
 import be.vandewalleh.services.UserService
+import com.auth0.jwt.JWT
+import com.auth0.jwt.algorithms.Algorithm
 import io.ktor.http.*
 import io.ktor.server.testing.*
 import io.mockk.every
@ -18,6 +21,7 @@ import org.kodein.di.generic.bind
 import org.kodein.di.generic.instance
 import org.mindrot.jbcrypt.BCrypt
 import utils.*
+import java.util.*

@TestInstance(TestInstance.Lifecycle.PER_CLASS)
 class AuthControllerKtTest {
@ -43,6 +47,8 @@ class AuthControllerKtTest {
        every { userService.getFromUsername("wrong") } returns user2

        every { userService.getFromUsername("notExisting") } returns null
+
+        every { userService.userExists(3) } returns false
    }


@ -126,5 +132,64 @@ class AuthControllerKtTest {

    }

+    @Nested
+    inner class Refresh {
+
+        @Test
+        fun `test valid refresh token`() {
+            val refreshJwt by kodein.instance<SimpleJWT>(tag = "refresh")
+            val refreshToken = refreshJwt.sign(1)
+
+            val res = testEngine.post("/user/refresh_token") {
+                json {
+                    it["refreshToken"] = refreshToken
+                }
+            }
+
+            val jsonObject = JSONObject(res.content)
+            jsonObject.keyList() `should be equal to` listOf("token", "refreshToken")
+
+            verify { userService.userExists(1) }
+            res.status() `should be equal to` HttpStatusCode.OK
+        }
+
+        @Test
+        fun `test valid refresh token for deleted user`() {
+            val refreshJwt by kodein.instance<SimpleJWT>(tag = "refresh")
+            val refreshToken = refreshJwt.sign(3)
+
+            val res = testEngine.post("/user/refresh_token") {
+                json {
+                    it["refreshToken"] = refreshToken
+                }
+            }
+
+            verify { userService.userExists(3) }
+            res.status() `should be equal to` HttpStatusCode.Unauthorized
+            res.content `should strictly be equal to json` """{msg: "Unauthorized"}"""
+        }
+
+        @Test
+        fun `test expired refresh token for existing user`() {
+            val config by kodein.instance<Config>()
+            val algorithm = Algorithm.HMAC256(config.jwt.refresh.secret.value)
+
+            val expiredToken = JWT.create()
+                .withClaim("id", 1)
+                .withExpiresAt(Date(0)) // January 1, 1970, 00:00:00 GMT
+                .sign(algorithm)
+
+            val res = testEngine.post("/user/refresh_token") {
+                json {
+                    it["refreshToken"] = expiredToken
+                }
+            }
+
+            res.status() `should be equal to` HttpStatusCode.Unauthorized
+            res.content `should strictly be equal to json` """{msg: "Unauthorized"}"""
+        }
+
+    }
+

 }