pulled checks for expired tokens into utility functions

Author: jricher

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -46,6 +46,7 @@
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.provider.ClientAlreadyExistsException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.TokenRequest;
@@ -84,14 +85,18 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 	@Autowired
 	private SystemScopeService scopeService;
 
+	@Autowired
+	private ApprovedSiteService approvedSiteService;
+
+
 	@Override
 	public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String id) {
 
 		Set<OAuth2AccessTokenEntity> all = tokenRepository.getAllAccessTokens();
 		Set<OAuth2AccessTokenEntity> results = Sets.newLinkedHashSet();
 
 		for (OAuth2AccessTokenEntity token : all) {
-			if (token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
+			if (clearExpiredAccessToken(token) != null && token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
 				results.add(token);
 			}
 		}
@@ -106,7 +111,7 @@ public Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String id) {
 		Set<OAuth2RefreshTokenEntity> results = Sets.newLinkedHashSet();
 
 		for (OAuth2RefreshTokenEntity token : all) {
-			if (token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
+			if (clearExpiredRefreshToken(token) != null && token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
 				results.add(token);
 			}
 		}
@@ -116,18 +121,50 @@ public Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String id) {
 
 	@Override
 	public OAuth2AccessTokenEntity getAccessTokenById(Long id) {
-		return tokenRepository.getAccessTokenById(id);
+		return clearExpiredAccessToken(tokenRepository.getAccessTokenById(id));
 	}
 
 	@Override
 	public OAuth2RefreshTokenEntity getRefreshTokenById(Long id) {
-		return tokenRepository.getRefreshTokenById(id);
+		return clearExpiredRefreshToken(tokenRepository.getRefreshTokenById(id));
 	}
 
-	@Autowired
-	private ApprovedSiteService approvedSiteService;
-
-
+	/**
+	 * Utility function to delete an access token that's expired before returning it.
+	 * @param token the token to check
+	 * @return null if the token is null or expired, the input token (unchanged) if it hasn't
+	 */
+	private OAuth2AccessTokenEntity clearExpiredAccessToken(OAuth2AccessTokenEntity token) {
+		if (token == null) {
+			return null;
+		} else if (token.isExpired()) {
+			// immediately revoke expired token
+			logger.debug("Clearing expired access token: " + token.getValue());
+			revokeAccessToken(token);
+			return null;
+		} else {
+			return token;
+		}
+	}
+	
+	/**
+	 * Utility function to delete a refresh token that's expired before returning it.
+	 * @param token the token to check
+	 * @return null if the token is null or expired, the input token (unchanged) if it hasn't
+	 */
+	private OAuth2RefreshTokenEntity clearExpiredRefreshToken(OAuth2RefreshTokenEntity token) {
+		if (token == null) {
+			return null;
+		} else if (token.isExpired()) {
+			// immediately revoke expired token
+			logger.debug("Clearing expired refresh token: " + token.getValue());
+			revokeRefreshToken(token);
+			return null;
+		} else {
+			return token;
+		}
+	}
+	
 	@Override
 	public OAuth2AccessTokenEntity createAccessToken(OAuth2Authentication authentication) throws AuthenticationException, InvalidClientException {
 		if (authentication != null && authentication.getOAuth2Request() != null) {
@@ -238,7 +275,7 @@ private OAuth2RefreshTokenEntity createRefreshToken(ClientDetailsEntity client,
 	@Override
 	public OAuth2AccessTokenEntity refreshAccessToken(String refreshTokenValue, TokenRequest authRequest) throws AuthenticationException {
 
-		OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenByValue(refreshTokenValue);
+		OAuth2RefreshTokenEntity refreshToken = clearExpiredRefreshToken(tokenRepository.getRefreshTokenByValue(refreshTokenValue));
 
 		if (refreshToken == null) {
 			throw new InvalidTokenException("Invalid refresh token: " + refreshTokenValue);
@@ -331,14 +368,10 @@ public OAuth2AccessTokenEntity refreshAccessToken(String refreshTokenValue, Toke
 	@Override
 	public OAuth2Authentication loadAuthentication(String accessTokenValue) throws AuthenticationException {
 
-		OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenByValue(accessTokenValue);
+		OAuth2AccessTokenEntity accessToken = clearExpiredAccessToken(tokenRepository.getAccessTokenByValue(accessTokenValue));
 
 		if (accessToken == null) {
 			throw new InvalidTokenException("Invalid access token: " + accessTokenValue);
-		} else if (accessToken.isExpired()) {
-			//tokenRepository.removeAccessToken(accessToken);
-			revokeAccessToken(accessToken);
-			throw new InvalidTokenException("Expired access token: " + accessTokenValue);
 		} else {
 			return accessToken.getAuthenticationHolder().getAuthentication();
 		}
@@ -350,13 +383,9 @@ public OAuth2Authentication loadAuthentication(String accessTokenValue) throws A
 	 */
 	@Override
 	public OAuth2AccessTokenEntity readAccessToken(String accessTokenValue) throws AuthenticationException {
-		OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenByValue(accessTokenValue);
+		OAuth2AccessTokenEntity accessToken = clearExpiredAccessToken(tokenRepository.getAccessTokenByValue(accessTokenValue));
 		if (accessToken == null) {
 			throw new InvalidTokenException("Access token for value " + accessTokenValue + " was not found");
-		} else if (accessToken.isExpired()) {
-			// immediately revoke the expired token
-			revokeAccessToken(accessToken);
-			throw new InvalidTokenException("Access token for value " + accessTokenValue + " is expired");
 		} else {
 			return accessToken;
 		}