fix-expiration-of-token-from-actual-idtoken

Signed-off-by: Vasile Negru <[email protected]> Signed-off-by: Vasile Negru <[email protected]> Signed-off-by: Vasile Negru <[email protected]>
spartan2015 · Aug 8, 2022 · 27488bd · 27488bd
1 parent 257d9ea
commit 27488bd
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 11 deletions.
diff --git a/server/auth/types/openid/helper.test.ts b/server/auth/types/openid/helper.test.ts
@@ -140,9 +140,10 @@ describe('test OIDC helper utility', () => {
 
   test('extract expiration time from jwt token', () => {
     expect(1658582700000).toEqual(
-      getExpirationDate(
-        'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imtld2lRcTlqaUM4NEN2U3NKWU9CLU42QThXRkxTVjIwTWIteTdJbFdEU1EifQ.eyJpc3MiOiJodHRwczovL2dpdGxhYi5jb20iLCJzdWIiOiI5ODc5ODQ1IiwiYXVkIjoiOTkzZWM3MTA3YjNlZmJiZTRkZDdjYmE1NDRmMDU4YTMyMmIwN2M0ZmQ5MTljMzdkMGM4ODQ5MjljYzVkM2U5NiIsImV4cCI6MTY1ODU4MjcwMCwiaWF0IjoxNjU4NTgyNTgwLCJhdXRoX3RpbWUiOjE2NTgzMjU1ODgsInN1Yl9sZWdhY3kiOiIxYWNiYzI5ZGFkOWViMGI0MjM3YTVhMTEzNzg2M2E4ZDNlNDFkOGRjOWJhMzJlYzFkOGIwMWJjODY5NzczMGM0IiwiZ3JvdXBzX2RpcmVjdCI6WyJlb3NmaW50ZWsiLCJlNDM4NyJdfQ.CVgOC3K4e95cOY2akmGBWJcSGjkyO517N_784ob2Tj3aeMpyk-O_OsbUhmt_Fu_XvqSk5dY02c1a8Ngav8_7MOsHb6MovYQsnIE0ddxtJSY2uswOWX53cE2SPU-G-s8vVLX-MfIG1_Mfg2cYE-eL2nRlSSrMug9IXiiWGoQuS0vrjuomgoq3gZnNCM-Yn-2TI3YZSsluyaODMnW2yVCeu8ZMJp6ZbCMBwAwq-dMVENF9jEHJqtRgOOP1OXJ9scapS14IHXaUrHkxlyRDRYKMZ727hQs_aMHZAlLyycz_9xI2RgZ4dTOldbXZeBUrOZvwe5ZMdok3a9LYr91clFu-pA24zHFUeFqjcVRMxhYZAD4wYdG26pYk1Otk9auvSaPd6Rsk4fK_tA7hVWCM1NMO1lhQ0RzLl4MRKx4NJrjm4jlodUGx3k_js2YtXYdKGNwWcm2ESTUgPdL1dQus3ll5Lr_wt5uY3GYjCtDA6BcZWhRewgWdmJ8hPx8JNuz3Sw2bDxjgmZqCQ4I4WMa-HncAshfZY-mLlWOkxN9kzHSXIZGa-No6_u9JZwfKdZXkK9UJMAuY4SH5PcvJitVAVDPg6EQa1Ne8AkVFOBfPF0_S3QZnW4D7kRNhs0pr-eyBb3cUACLPjS4maCccQ6MSBZ9RYy3l0wgitRv2SVIBvBH0eN4'
-      )
+      getExpirationDate({
+        idToken:
+          'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imtld2lRcTlqaUM4NEN2U3NKWU9CLU42QThXRkxTVjIwTWIteTdJbFdEU1EifQ.eyJpc3MiOiJodHRwczovL2dpdGxhYi5jb20iLCJzdWIiOiI5ODc5ODQ1IiwiYXVkIjoiOTkzZWM3MTA3YjNlZmJiZTRkZDdjYmE1NDRmMDU4YTMyMmIwN2M0ZmQ5MTljMzdkMGM4ODQ5MjljYzVkM2U5NiIsImV4cCI6MTY1ODU4MjcwMCwiaWF0IjoxNjU4NTgyNTgwLCJhdXRoX3RpbWUiOjE2NTgzMjU1ODgsInN1Yl9sZWdhY3kiOiIxYWNiYzI5ZGFkOWViMGI0MjM3YTVhMTEzNzg2M2E4ZDNlNDFkOGRjOWJhMzJlYzFkOGIwMWJjODY5NzczMGM0IiwiZ3JvdXBzX2RpcmVjdCI6WyJlb3NmaW50ZWsiLCJlNDM4NyJdfQ.CVgOC3K4e95cOY2akmGBWJcSGjkyO517N_784ob2Tj3aeMpyk-O_OsbUhmt_Fu_XvqSk5dY02c1a8Ngav8_7MOsHb6MovYQsnIE0ddxtJSY2uswOWX53cE2SPU-G-s8vVLX-MfIG1_Mfg2cYE-eL2nRlSSrMug9IXiiWGoQuS0vrjuomgoq3gZnNCM-Yn-2TI3YZSsluyaODMnW2yVCeu8ZMJp6ZbCMBwAwq-dMVENF9jEHJqtRgOOP1OXJ9scapS14IHXaUrHkxlyRDRYKMZ727hQs_aMHZAlLyycz_9xI2RgZ4dTOldbXZeBUrOZvwe5ZMdok3a9LYr91clFu-pA24zHFUeFqjcVRMxhYZAD4wYdG26pYk1Otk9auvSaPd6Rsk4fK_tA7hVWCM1NMO1lhQ0RzLl4MRKx4NJrjm4jlodUGx3k_js2YtXYdKGNwWcm2ESTUgPdL1dQus3ll5Lr_wt5uY3GYjCtDA6BcZWhRewgWdmJ8hPx8JNuz3Sw2bDxjgmZqCQ4I4WMa-HncAshfZY-mLlWOkxN9kzHSXIZGa-No6_u9JZwfKdZXkK9UJMAuY4SH5PcvJitVAVDPg6EQa1Ne8AkVFOBfPF0_S3QZnW4D7kRNhs0pr-eyBb3cUACLPjS4maCccQ6MSBZ9RYy3l0wgitRv2SVIBvBH0eN4',
+      })
     );
   });
 });
diff --git a/server/auth/types/openid/helper.ts b/server/auth/types/openid/helper.ts
@@ -121,15 +121,18 @@ export interface TokenResponse {
   expiresIn?: number;
 }
 
-export function getExpirationDate(idToken: string | undefined) {
-  if (!idToken) {
+export function getExpirationDate(tokenResponse: TokenResponse | undefined) {
+  if (!tokenResponse) {
     throw new Error('Invalid token');
-  } else {
+  } else if (tokenResponse.idToken) {
+    const idToken = tokenResponse.idToken;
     const parts = idToken.split('.');
     if (parts.length !== 3) {
       throw new Error('Invalid token');
     }
     const claim = JSON.parse(Buffer.from(parts[1], 'base64').toString());
     return claim.exp * 1000;
+  } else {
+    return Date.now() + tokenResponse.expiresIn! * 1000;
   }
 }
diff --git a/server/auth/types/openid/openid_auth.ts b/server/auth/types/openid/openid_auth.ts
@@ -190,7 +190,7 @@ export class OpenIdAuthentication extends AuthenticationType {
           cookie.credentials = {
             authHeaderValue: `Bearer ${refreshTokenResponse.idToken}`,
             refresh_token: refreshTokenResponse.refreshToken,
-            expires_at: getExpirationDate(refreshTokenResponse.idToken), // expiresIn is in second
+            expires_at: getExpirationDate(refreshTokenResponse), // expiresIn is in second
           };
           return true;
         } else {

diff --git a/server/auth/types/openid/routes.ts b/server/auth/types/openid/routes.ts
@@ -156,14 +156,11 @@ export class OpenIdAuthRoutes {
           );
 
           // set to cookie
-          const expirationDate = tokenResponse.idToken
-            ? getExpirationDate(tokenResponse.idToken)
-            : Date.now() + tokenResponse.expiresIn! * 1000;
           const sessionStorage: SecuritySessionCookie = {
             username: user.username,
             credentials: {
               authHeaderValue: `Bearer ${tokenResponse.idToken}`,
-              expires_at: expirationDate,
+              expires_at: getExpirationDate(tokenResponse),
             },
             authType: 'openid',
             expiryTime: Date.now() + this.config.session.ttl,