remote authority check on refresh token endpoint

Author: bfwg

src/main/java/com/bfwg/rest/AuthenticationController.java

@@ -6,7 +6,6 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
@@ -33,7 +32,6 @@ public class AuthenticationController {
     private String TOKEN_COOKIE;
 
     @RequestMapping(value = "/refresh", method = RequestMethod.GET)
-    @PreAuthorize("hasRole('USER')")
     public ResponseEntity<?> refreshAuthenticationToken(HttpServletRequest request, HttpServletResponse response) {
 
         String authToken = tokenHelper.getToken( request );

src/main/java/com/bfwg/security/auth/TokenAuthenticationFilter.java

@@ -44,12 +44,15 @@ public void doFilterInternal(HttpServletRequest request, HttpServletResponse res
             } catch (IllegalArgumentException e) {
                 logger.error("an error occured during getting username from token", e);
             }
-            // get user
-            UserDetails userDetails = userDetailsService.loadUserByUsername(username);
-            // create authentication
-            TokenBasedAuthentication authentication = new TokenBasedAuthentication(userDetails);
-            authentication.setToken(authToken);
-            SecurityContextHolder.getContext().setAuthentication(authentication);
+
+            if (username != null) {
+                // get user
+                UserDetails userDetails = userDetailsService.loadUserByUsername(username);
+                // create authentication
+                TokenBasedAuthentication authentication = new TokenBasedAuthentication(userDetails);
+                authentication.setToken(authToken);
+                SecurityContextHolder.getContext().setAuthentication(authentication);
+            }
         }
 
         chain.doFilter(request, response);

src/main/resources/application.yml

@@ -3,7 +3,7 @@ app:
 
 jwt:
   header: Authorization
-  expires_in: 600 # 10 minutes
+  expires_in: 6 # 10 minutes
   secret: queenvictoria
   cookie: AUTH-TOKEN
 

src/test/java/com/bfwg/rest/AuthenticationControllerTest.java

@@ -1,16 +1,25 @@
 package com.bfwg.rest;
 
+import com.bfwg.model.User;
+import com.bfwg.security.TokenHelper;
+import com.bfwg.security.UserDetailsDummy;
+import io.jsonwebtoken.ExpiredJwtException;
+import org.joda.time.DateTimeUtils;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.security.test.context.support.WithAnonymousUser;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.context.WebApplicationContext;
 
+import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.when;
 import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -24,6 +33,12 @@ public class AuthenticationControllerTest {
 
     private MockMvc mvc;
 
+    @Autowired
+    private TokenHelper tokenHelper;
+
+    @MockBean
+    private UserDetailsService userDetailsService;
+
     @Autowired
     private WebApplicationContext context;
 
@@ -33,15 +48,30 @@ public void setup() {
                 .webAppContextSetup(context)
                 .apply(springSecurity())
                 .build();
+
+        DateTimeUtils.setCurrentMillisSystem();
+        User user = new User();
+        user.setUsername("username");
+        when(this.userDetailsService.loadUserByUsername(eq("test-user"))).thenReturn(user);
     }
 
 
     @Test
-    @WithAnonymousUser
-    public void shouldGetUnauthorizedWithAnonymousUser() throws Exception {
-        this.mvc.perform(get("/auth/refresh"))
-                .andExpect(status().isUnauthorized());
+    public void shouldGet200WhenGivenValidOldToken() throws Exception {
+
+        String token = tokenHelper.generateToken(new UserDetailsDummy("test-user").getUsername());
+        this.mvc.perform(get("/auth/refresh").header("Authorization", "Bearer " + token))
+                .andExpect(status().is(200));
+
+    }
 
+    @Test(expected = ExpiredJwtException.class)
+    public void shouldNotGet200WhenGivenInvalidOldToken() throws Exception {
+        DateTimeUtils.setCurrentMillisFixed(1L); // set time back to 1970
+        String token = tokenHelper.generateToken(new UserDetailsDummy("test-user").getUsername());
+        DateTimeUtils.setCurrentMillisSystem(); // back to now
+        ResultActions action = null;
+        this.mvc.perform(get("/auth/refresh").header("Authorization", "Bearer " + token));
     }
 
 }