Added username filtering to token revocation service via super client
Change-Id: I6ae4ace9ff464b8bcd13fbd0705061bd833726b7
diff --git a/full/Changes b/full/Changes
index ae73b6f..b3f5ce9 100644
--- a/full/Changes
+++ b/full/Changes
@@ -23,7 +23,9 @@
- Merged list authorized client and list registered client services
(margaretha)
21/11/2019
- - Added a service to list active refresh tokens of a user (margaretha)
+ - Added a service to list active refresh tokens of a user (margaretha)
+ - Added username filtering to token revocation service via super client
+ (margaretha)
# version 0.62.1
08/07/2019
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuTokenService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuTokenService.java
index feafc87..ebc7252 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuTokenService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuTokenService.java
@@ -424,7 +424,7 @@
}
}
- public void revokeTokenViaSuperClient (
+ public void revokeTokenViaSuperClient (String username,
OAuth2RevokeTokenSuperRequest revokeTokenRequest)
throws KustvaktException {
String superClientId = revokeTokenRequest.getSuperClientId();
@@ -442,7 +442,9 @@
tokenDao.retrieveRefreshTokenByClientId(clientId);
for (RefreshToken r : refreshTokens) {
- revokeRefreshToken(r);
+ if (r.getUserId().equals(username)){
+ revokeRefreshToken(r);
+ }
}
}
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
index bbe1122..a287ce4 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
@@ -273,14 +273,18 @@
@ResourceFilters({ AuthenticationFilter.class, BlockingFilter.class })
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response revokeTokenViaSuperClient (
+ @Context SecurityContext context,
@Context HttpServletRequest request,
MultivaluedMap<String, String> form) {
+ TokenContext tokenContext = (TokenContext) context.getUserPrincipal();
+ String username = tokenContext.getUsername();
+
try {
OAuth2RevokeTokenSuperRequest revokeTokenRequest =
new OAuth2RevokeTokenSuperRequest(
new FormRequestWrapper(request, form));
- tokenService.revokeTokenViaSuperClient(revokeTokenRequest);
+ tokenService.revokeTokenViaSuperClient(username, revokeTokenRequest);
return Response.ok("SUCCESS").build();
}
catch (OAuthSystemException e) {
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
index 1e1b6cf..03f4ce8 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
@@ -523,6 +523,7 @@
JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
String refreshToken = node.at("/refresh_token").asText();
+ String accessToken = node.at("/access_token").asText();
// client 2
code = requestAuthorizationCode(confidentialClientId, clientSecret,
@@ -533,15 +534,18 @@
requestAuthorizedClientList(userAuthHeader);
testListAuthorizedClientWithMultipleRefreshTokens(userAuthHeader);
+ testListAuthorizedClientWithRefreshTokenFromAnotherUser(userAuthHeader);
-
+ // revoke client 1
+ testRevokeTokenViaSuperClient(publicClientId, userAuthHeader,
+ accessToken, refreshToken);
testRequestTokenWithRevokedRefreshToken(publicClientId, clientSecret,
refreshToken);
-
+
+ // revoke client 2
node = JsonUtils.readTree(response.getEntity(String.class));
- String accessToken = node.at("/access_token").asText();
+ accessToken = node.at("/access_token").asText();
refreshToken = node.at("/refresh_token").asText();
-
testRevokeTokenViaSuperClient(confidentialClientId, userAuthHeader,
accessToken, refreshToken);
}
@@ -555,6 +559,20 @@
publicClientId, "", code);
assertEquals(Status.OK.getStatusCode(), response.getStatus());
+
+ requestAuthorizedClientList(userAuthHeader);
+ }
+
+ private void testListAuthorizedClientWithRefreshTokenFromAnotherUser (
+ String userAuthHeader) throws KustvaktException {
+
+ String aaaAuthHeader = HttpAuthorizationHandler
+ .createBasicAuthorizationHeaderValue("aaa", "pwd");
+ // client 1
+ String code = requestAuthorizationCode(publicClientId, clientSecret,
+ null, aaaAuthHeader);
+ ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
+ publicClientId, "", code);
requestAuthorizedClientList(userAuthHeader);
@@ -562,7 +580,7 @@
String accessToken = node.at("/access_token").asText();
String refreshToken = node.at("/refresh_token").asText();
- testRevokeTokenViaSuperClient(publicClientId, userAuthHeader,
+ testRevokeTokenViaSuperClient(publicClientId, aaaAuthHeader,
accessToken, refreshToken);
}