reset expiration on access_token regeneration

Fixes PLAT-1289 Test Plan: do a refresh_token call make sure the expiration is reset back to 3600 (an hour) Change-Id: I17095e77211c49c43ea8ff217013d5986e6b6c91 Reviewed-on: https://gerrit.instructure.com/67373 Tested-by: Jenkins Reviewed-by: Brad Humphrey <brad@instructure.com> Product-Review: Brad Horrocks <bhorrocks@instructure.com> QA-Review: August Thornton <august@instructure.com>
2015-11-17 16:52:58 -07:00 · 2015-11-17 16:52:58 -07:00 · 62847b535b
parent d0b43c4a43
commit 62847b535b
4 changed files with 48 additions and 15 deletions
--- a/app/models/access_token.rb
+++ b/app/models/access_token.rb
@ -97,7 +97,7 @@ class AccessToken < ActiveRecord::Base
  end

  def expired?
-    expires_at && expires_at < Time.now
+    developer_key.try(:auto_expire_tokens) && expires_at && expires_at < Time.zone.now
  end

  def token=(new_token)
@ -113,6 +113,10 @@ class AccessToken < ActiveRecord::Base
  def generate_token(overwrite=false)
    if overwrite || !self.crypted_token
      self.token = CanvasSlug.generate(nil, TOKEN_SIZE)
+
+      if !self.expires_at_changed? && developer_key.try(:auto_expire_tokens)
+        self.expires_at = DateTime.now.utc + 1.hour
+      end
    end
  end

@ -183,5 +187,7 @@ class AccessToken < ActiveRecord::Base

  # It's encrypted, but end users still shouldn't see this.
  # The hint is only returned in visible_token, if protected_token is false.
-  def self.serialization_excludes; [:crypted_token, :token_hint]; end
+  def self.serialization_excludes
+    [:crypted_token, :token_hint, :crypted_refresh_token]
+  end
 end
--- a/lib/canvas/oauth/token.rb
+++ b/lib/canvas/oauth/token.rb
@ -59,7 +59,12 @@ module Canvas::Oauth
        user.access_tokens.where(developer_key_id: key).destroy_all if replace_tokens || key.replace_tokens

        # Then create a new one
-        @access_token = user.access_tokens.create!({:developer_key => key, :remember_access => remember_access?, :scopes => scopes, :purpose => purpose, expires_at: expiration_date})
+        @access_token = user.access_tokens.create!({
+                                                     :developer_key => key,
+                                                     :remember_access => remember_access?,
+                                                     :scopes => scopes,
+                                                     :purpose => purpose
+                                                   })

        @access_token.clear_full_token! if @access_token.scoped_to?(['userinfo'])
        @access_token.clear_plaintext_refresh_token! if @access_token.scoped_to?(['userinfo'])
@ -85,7 +90,10 @@ module Canvas::Oauth
        'refresh_token' => access_token.plaintext_refresh_token,
        'user' => user.as_json(:only => [:id, :name], :include_root => false)
      }
-      json['expires_in'] = access_token.expires_at.utc.to_time.to_i - Time.now.utc.to_i if access_token.expires_at
+
+      if access_token.expires_at && key.auto_expire_tokens
+        json['expires_in'] = access_token.expires_at.utc.to_i - Time.now.utc.to_i
+      end
      json
    end

@ -116,13 +124,5 @@ module Canvas::Oauth
    def self.expire_code(code)
      Canvas.redis.del "#{REDIS_PREFIX}#{code}"
    end
-
-    private
-
-    def expiration_date
-      DateTime.now.utc + 1.hour if key.auto_expire_tokens
-    end
-
-
  end
 end
--- a/spec/lib/canvas/oauth/token_spec.rb
+++ b/spec/lib/canvas/oauth/token_spec.rb
@ -159,6 +159,12 @@ module Canvas::Oauth
      it 'does not put anything else into the json' do
        expect(json.keys.sort).to match_array(['access_token', 'refresh_token', 'user', 'expires_in'])
      end
+      it 'does not put expires_in in the json when auto_expire_tokens is false' do
+        key = token.key
+        key.auto_expire_tokens = false
+        key.save!
+        expect(json.keys.sort).to match_array(['access_token', 'refresh_token', 'user'])
+      end

    end

@ -192,7 +198,6 @@ module Canvas::Oauth
    end

    context "token expiration" do
-
      it "starts expiring tokens in 1 hour" do
        DateTime.stubs(:now).returns(DateTime.parse('2016-06-29T23:01:00+00:00'))
        expect(token.access_token.expires_at.utc.iso8601).to eq('2016-06-30T00:01:00+00:00')
@ -205,8 +210,14 @@ module Canvas::Oauth
        expect(token.access_token.expires_at).to be_nil
      end

-
+      it 'Tokens wont expire if the dev key has auto_expire_tokens set to false' do
+        DateTime.stubs(:now).returns(Time.zone.parse('2015-06-29T23:01:00+00:00'))
+        key = token.key
+        key.auto_expire_tokens = false
+        key.save!
+        expect(token.access_token.expires_at).to be_nil
+        expect(token.access_token.expired?).to be false
+      end
    end
-
  end
 end
--- a/spec/models/access_token_spec.rb
+++ b/spec/models/access_token_spec.rb
@ -181,4 +181,20 @@ describe AccessToken do
      expect(@at_without_account.authorized_for_account?(@foreign_ac)).to be true
    end
  end
+
+  describe "regenerate_access_token" do
+    before :once do
+      @at = AccessToken.create!(:user => user_model, :developer_key => DeveloperKey.default)
+      @token_string = @at.full_token
+      @refresh_token_string = @at.plaintext_refresh_token
+    end
+
+    it "should regenerate the token" do
+      DateTime.stubs(:now).returns(Time.zone.parse('2015-06-29T23:01:00+00:00'))
+
+      @at.update_attribute(:expires_at, 2.hours.ago)
+      @at.regenerate_access_token
+      expect(@at.expires_at.to_i).to be((DateTime.now.utc + 1.hour).to_i)
+    end
+  end
 end