When refreshing an access_token fails do not create authorization request

pixtron · pixtron · commit 3ee01e7796ac · 2020-01-29T12:24:35.000-05:00
Related to: #231
diff --git a/app/lib/auth/controller.js b/app/lib/auth/controller.js
@@ -238,25 +238,15 @@ module.exports = function(env, clientConfig) {
         var idpConfig = getIdPByProviderUrl(oidcProvider);
       }
 
-      oidc.signin(idpConfig).then((authorization) => {
-        if(authorization === true)  {
-          logger.error('can not accept new authorization after refresh access_token', {
+      oidc.refreshAccessToken(idpConfig).then(() => {
+        verifyAuthentication().then(resolve).catch((error) => {
+          logger.error('failed refresh access_token', {
             category: 'auth',
+            error: error
           });
 
-          reject()
-        } else {
-          verifyAuthentication().then(() => {
-            resolve();
-          }).catch((error) => {
-            logger.error('failed refresh access_token', {
-              category: 'auth',
-              error: error
-            });
-
-            reject(error)
-          });
-        }
+          reject(error);
+        });
       }).catch(reject);
     });
   }
@@ -322,26 +312,17 @@ module.exports = function(env, clientConfig) {
     });
   }
 
+//TODO pixtron - iss-168 unify verifyNewLogin and verifyAuthentication
+//TODO pixtron - we can remove these? clientConfig.set('oidcProvider', undefined);
   function oidcAuth(idpConfig) {
     return new Promise(function(resolve, reject) {
-      oidc.signin(idpConfig).then((authorization) => {
-        if(authorization === true)  {
-          verifyNewLogin().then(resolve).catch((error) => {
-            clientConfig.set('oidcProvider', undefined);
-            logger.error('failed to authorize via oidc', {category: 'auth', error});
-
-            reject(error)
-          });
-        } else {
-          verifyAuthentication().then(() => {
-            resolve(false);
-          }).catch((error) => {
-            clientConfig.set('oidcProvider', undefined);
-            logger.error('failed signin via oidc', {category: 'auth', error});
+      oidc.signin(idpConfig).then(() => {
+        verifyNewLogin().then(resolve).catch((error) => {
+          clientConfig.set('oidcProvider', undefined);
+          logger.error('failed to authorize via oidc', {category: 'auth', error});
 
-            reject(error)
-          });
-        }
+          reject(error)
+        });
       }).catch(reject);
     });
   }
@@ -382,29 +363,14 @@ module.exports = function(env, clientConfig) {
           return reject(err);
         }
 
-        switch(clientConfig.get('authMethod')) {
+        var authMethod = clientConfig.get('authMethod');
+        switch(authMethod) {
           case 'oidc':
-            var oidcProvider = clientConfig.get('oidcProvider');
-
-            if(oidcProvider === undefined) {
-              logger.info('login no oidc provider, open startup configuration', {category: 'auth'});
-              startup().then(resolve).catch(reject);
-            } else {
-              var idpConfig = getIdPByProviderUrl(oidcProvider);
-              oidcAuth(idpConfig).then(resolve).catch((err) => {
-                logger.info('oidc login failed, open startup configuration', {
-                  category: 'auth',
-                  error: err
-                });
-
-                startup().then(resolve).catch(reject);
-              });
-            }
-          break;
           case 'token':
             refreshAccessToken().then(resolve).catch((error) => {
-              logger.info('token login failed, open startup configuration', {
+              logger.info('login failed, open startup configuration', {
                 category: 'auth',
+                authMethod: authMethod,
                 error: err
               });
 
diff --git a/app/lib/oidc/controller.js b/app/lib/oidc/controller.js
@@ -29,17 +29,7 @@ module.exports = function (env, clientConfig) {
       _signin(idp)
         .then(result => resolve(result))
         .catch(err => {
-          if(err.message &&
-            (
-              /ENOTFOUND|ETIMEDOUT|ENETUNREACH|EHOSTUNREACH|ECONNREFUSED|EHOSTDOWN|ESOCKETTIMEDOUT|ECONNRESET/.test(err.message)
-              ||
-              err.message === 'Error: socket hang up'
-            )
-          ) {
-            err = new OidcError(err.message, 'E_BLN_OIDC_NETWORK');
-          }
-
-          reject(err);
+          reject(_checkForNetworkErrors(err));
         })
     });
   }
@@ -50,60 +40,15 @@ module.exports = function (env, clientConfig) {
       fetchServiceConfiguration().then(config => {
         configuration = config;
         initIdp();
-        var oidcAuth = clientConfig.get('oidcProvider');
-
-        if(oidcAuth) {
-          clientConfig.retrieveSecret('refreshToken').then((secret) => {
-            logger.info('found refreshToken, trying to request new access token', {
-              category: 'openid-connect'
-            });
-
-            makeAccessTokenRequest(configuration, secret).then((response) => {
-              _storeSecrets(response)
-                .then(() => {
-                  clientConfig.set('accessTokenExpires', response.issuedAt + response.expiresIn);
-                  resolve();
-                })
-                .catch(err => {
-                  logger.error('Could not store accessToken', {catgory: 'openid-connect', err});
-                  reject(err);
-                });
-            }).catch((error) => {
-              logger.info('failed to retrieve accessToken, request new refreshToken', {category: 'openid-connect', error});
-
-              makeAuthorizationRequest()
-                .then(() => {
-                  resolve(true);
-                })
-                .catch((error) => {
-                  logger.error('failed to retrieve refreshToken', {
-                    category: 'openid-connect',
-                    error: error
-                  });
-
-                  reject(error);
-                });
-            });
-          }).catch((error) => {
-            logger.error('failed to read refreshToken from secret store', {
-              category: 'openid-connect',
-              error: error
-            });
 
-            reject(error);
+        makeAuthorizationRequest().then(resolve).catch((error) => {
+          logger.error('failed to retrieve refreshToken', {
+            category: 'openid-connect',
+            error: error
           });
-        } else {
-          makeAuthorizationRequest().then((respone) => {
-            resolve(true);
-          }).catch((error) => {
-            logger.error('failed to retrieve refreshToken', {
-              category: 'openid-connect',
-              error: error
-            });
 
-            reject(error);
-          });
-        }
+          reject(error);
+        });
       }).catch(reject); //catch fetchServiceConfiguration
     });
   }
@@ -241,6 +186,55 @@ module.exports = function (env, clientConfig) {
       });
   }
 
+  function refreshAccessToken(idp) {
+    return new Promise(function(resolve, reject) {
+      _refreshAccessToken(idp)
+        .then(resolve)
+        .catch(err => {
+          reject(_checkForNetworkErrors(err));
+        })
+    });
+  }
+
+  function _refreshAccessToken(idp) {
+    idpConfig = idp;
+    return new Promise((resolve, reject) => {
+      fetchServiceConfiguration().then(config => {
+        configuration = config;
+        initIdp();
+
+        clientConfig.retrieveSecret('refreshToken').then((secret) => {
+          logger.info('found refreshToken, trying to request new access token', {
+            category: 'openid-connect'
+          });
+
+          makeAccessTokenRequest(configuration, secret).then((response) => {
+            _storeSecrets(response)
+              .then(() => {
+                clientConfig.set('accessTokenExpires', response.issuedAt + response.expiresIn);
+                resolve();
+              })
+              .catch(err => {
+                logger.error('Could not store accessToken', {catgory: 'openid-connect', err});
+                reject(err);
+              });
+          }).catch((error) => {
+            logger.info('failed to refresh accessToken', {category: 'openid-connect', error});
+
+            reject(error);
+          });
+        }).catch((error) => {
+          logger.error('failed to read refreshToken from secret store', {
+            category: 'openid-connect',
+            error: error
+          });
+
+          reject(error);
+        });
+      }).catch(reject);
+    });
+  }
+
   function makeRevokeTokenRequest(configuration, refreshToken) {
     let options = {
       token: refreshToken,
@@ -298,8 +292,23 @@ module.exports = function (env, clientConfig) {
     return Promise.all(promises)
   }
 
+  function _checkForNetworkErrors(err) {
+    if(err.message &&
+      (
+        /ENOTFOUND|ETIMEDOUT|ENETUNREACH|EHOSTUNREACH|ECONNREFUSED|EHOSTDOWN|ESOCKETTIMEDOUT|ECONNRESET/.test(err.message)
+        ||
+        err.message === 'Error: socket hang up'
+      )
+    ) {
+      err = new OidcError(err.message, 'E_BLN_OIDC_NETWORK');
+    }
+
+    return err;
+  }
+
   return {
     signin,
-    revokeToken
+    revokeToken,
+    refreshAccessToken,
   };
 };
diff --git a/app/ui/startup/controller.js b/app/ui/startup/controller.js
@@ -114,7 +114,7 @@ module.exports = function(env, clientConfig) {
         ||
         !clientConfig.isActiveInstance()
         ||
-        instance.getInstance(clientConfig) === null
+        instance.getInstance(clientConfig.get('username'), clientConfig.get('blnUrl'), clientConfig.get('context')) === null
     );
   }
 

Original file line number	Diff line number	Diff line change
`@@ -114,7 +114,7 @@ module.exports = function(env, clientConfig) {`
`114`	`114`	`\|\|`
`115`	`115`	`!clientConfig.isActiveInstance()`
`116`	`116`	`\|\|`
`117`		`- instance.getInstance(clientConfig) === null`
	`117`	`+ instance.getInstance(clientConfig.get('username'), clientConfig.get('blnUrl'), clientConfig.get('context')) === null`
`118`	`118`	`);`
`119`	`119`	`}`
`120`	`120`