From 27488bda4ad72b07c50e2f555398f4f6f1989883 Mon Sep 17 00:00:00 2001 From: Vasile Negru Date: Fri, 5 Aug 2022 14:42:20 +0300 Subject: [PATCH] fix-expiration-of-token-from-actual-idtoken Signed-off-by: Vasile Negru Signed-off-by: Vasile Negru Signed-off-by: Vasile Negru --- server/auth/types/openid/helper.test.ts | 7 ++++--- server/auth/types/openid/helper.ts | 9 ++++++--- server/auth/types/openid/openid_auth.ts | 2 +- server/auth/types/openid/routes.ts | 5 +---- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/server/auth/types/openid/helper.test.ts b/server/auth/types/openid/helper.test.ts index e8954f9b9..539199ec7 100644 --- a/server/auth/types/openid/helper.test.ts +++ b/server/auth/types/openid/helper.test.ts @@ -140,9 +140,10 @@ describe('test OIDC helper utility', () => { test('extract expiration time from jwt token', () => { expect(1658582700000).toEqual( - getExpirationDate( - 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imtld2lRcTlqaUM4NEN2U3NKWU9CLU42QThXRkxTVjIwTWIteTdJbFdEU1EifQ.eyJpc3MiOiJodHRwczovL2dpdGxhYi5jb20iLCJzdWIiOiI5ODc5ODQ1IiwiYXVkIjoiOTkzZWM3MTA3YjNlZmJiZTRkZDdjYmE1NDRmMDU4YTMyMmIwN2M0ZmQ5MTljMzdkMGM4ODQ5MjljYzVkM2U5NiIsImV4cCI6MTY1ODU4MjcwMCwiaWF0IjoxNjU4NTgyNTgwLCJhdXRoX3RpbWUiOjE2NTgzMjU1ODgsInN1Yl9sZWdhY3kiOiIxYWNiYzI5ZGFkOWViMGI0MjM3YTVhMTEzNzg2M2E4ZDNlNDFkOGRjOWJhMzJlYzFkOGIwMWJjODY5NzczMGM0IiwiZ3JvdXBzX2RpcmVjdCI6WyJlb3NmaW50ZWsiLCJlNDM4NyJdfQ.CVgOC3K4e95cOY2akmGBWJcSGjkyO517N_784ob2Tj3aeMpyk-O_OsbUhmt_Fu_XvqSk5dY02c1a8Ngav8_7MOsHb6MovYQsnIE0ddxtJSY2uswOWX53cE2SPU-G-s8vVLX-MfIG1_Mfg2cYE-eL2nRlSSrMug9IXiiWGoQuS0vrjuomgoq3gZnNCM-Yn-2TI3YZSsluyaODMnW2yVCeu8ZMJp6ZbCMBwAwq-dMVENF9jEHJqtRgOOP1OXJ9scapS14IHXaUrHkxlyRDRYKMZ727hQs_aMHZAlLyycz_9xI2RgZ4dTOldbXZeBUrOZvwe5ZMdok3a9LYr91clFu-pA24zHFUeFqjcVRMxhYZAD4wYdG26pYk1Otk9auvSaPd6Rsk4fK_tA7hVWCM1NMO1lhQ0RzLl4MRKx4NJrjm4jlodUGx3k_js2YtXYdKGNwWcm2ESTUgPdL1dQus3ll5Lr_wt5uY3GYjCtDA6BcZWhRewgWdmJ8hPx8JNuz3Sw2bDxjgmZqCQ4I4WMa-HncAshfZY-mLlWOkxN9kzHSXIZGa-No6_u9JZwfKdZXkK9UJMAuY4SH5PcvJitVAVDPg6EQa1Ne8AkVFOBfPF0_S3QZnW4D7kRNhs0pr-eyBb3cUACLPjS4maCccQ6MSBZ9RYy3l0wgitRv2SVIBvBH0eN4' - ) + getExpirationDate({ + idToken: + 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imtld2lRcTlqaUM4NEN2U3NKWU9CLU42QThXRkxTVjIwTWIteTdJbFdEU1EifQ.eyJpc3MiOiJodHRwczovL2dpdGxhYi5jb20iLCJzdWIiOiI5ODc5ODQ1IiwiYXVkIjoiOTkzZWM3MTA3YjNlZmJiZTRkZDdjYmE1NDRmMDU4YTMyMmIwN2M0ZmQ5MTljMzdkMGM4ODQ5MjljYzVkM2U5NiIsImV4cCI6MTY1ODU4MjcwMCwiaWF0IjoxNjU4NTgyNTgwLCJhdXRoX3RpbWUiOjE2NTgzMjU1ODgsInN1Yl9sZWdhY3kiOiIxYWNiYzI5ZGFkOWViMGI0MjM3YTVhMTEzNzg2M2E4ZDNlNDFkOGRjOWJhMzJlYzFkOGIwMWJjODY5NzczMGM0IiwiZ3JvdXBzX2RpcmVjdCI6WyJlb3NmaW50ZWsiLCJlNDM4NyJdfQ.CVgOC3K4e95cOY2akmGBWJcSGjkyO517N_784ob2Tj3aeMpyk-O_OsbUhmt_Fu_XvqSk5dY02c1a8Ngav8_7MOsHb6MovYQsnIE0ddxtJSY2uswOWX53cE2SPU-G-s8vVLX-MfIG1_Mfg2cYE-eL2nRlSSrMug9IXiiWGoQuS0vrjuomgoq3gZnNCM-Yn-2TI3YZSsluyaODMnW2yVCeu8ZMJp6ZbCMBwAwq-dMVENF9jEHJqtRgOOP1OXJ9scapS14IHXaUrHkxlyRDRYKMZ727hQs_aMHZAlLyycz_9xI2RgZ4dTOldbXZeBUrOZvwe5ZMdok3a9LYr91clFu-pA24zHFUeFqjcVRMxhYZAD4wYdG26pYk1Otk9auvSaPd6Rsk4fK_tA7hVWCM1NMO1lhQ0RzLl4MRKx4NJrjm4jlodUGx3k_js2YtXYdKGNwWcm2ESTUgPdL1dQus3ll5Lr_wt5uY3GYjCtDA6BcZWhRewgWdmJ8hPx8JNuz3Sw2bDxjgmZqCQ4I4WMa-HncAshfZY-mLlWOkxN9kzHSXIZGa-No6_u9JZwfKdZXkK9UJMAuY4SH5PcvJitVAVDPg6EQa1Ne8AkVFOBfPF0_S3QZnW4D7kRNhs0pr-eyBb3cUACLPjS4maCccQ6MSBZ9RYy3l0wgitRv2SVIBvBH0eN4', + }) ); }); }); diff --git a/server/auth/types/openid/helper.ts b/server/auth/types/openid/helper.ts index 0911987b0..a420b442e 100644 --- a/server/auth/types/openid/helper.ts +++ b/server/auth/types/openid/helper.ts @@ -121,15 +121,18 @@ export interface TokenResponse { expiresIn?: number; } -export function getExpirationDate(idToken: string | undefined) { - if (!idToken) { +export function getExpirationDate(tokenResponse: TokenResponse | undefined) { + if (!tokenResponse) { throw new Error('Invalid token'); - } else { + } else if (tokenResponse.idToken) { + const idToken = tokenResponse.idToken; const parts = idToken.split('.'); if (parts.length !== 3) { throw new Error('Invalid token'); } const claim = JSON.parse(Buffer.from(parts[1], 'base64').toString()); return claim.exp * 1000; + } else { + return Date.now() + tokenResponse.expiresIn! * 1000; } } diff --git a/server/auth/types/openid/openid_auth.ts b/server/auth/types/openid/openid_auth.ts index c51b32487..1fb0f3d00 100644 --- a/server/auth/types/openid/openid_auth.ts +++ b/server/auth/types/openid/openid_auth.ts @@ -190,7 +190,7 @@ export class OpenIdAuthentication extends AuthenticationType { cookie.credentials = { authHeaderValue: `Bearer ${refreshTokenResponse.idToken}`, refresh_token: refreshTokenResponse.refreshToken, - expires_at: getExpirationDate(refreshTokenResponse.idToken), // expiresIn is in second + expires_at: getExpirationDate(refreshTokenResponse), // expiresIn is in second }; return true; } else { diff --git a/server/auth/types/openid/routes.ts b/server/auth/types/openid/routes.ts index e56c3b5a3..627170f97 100644 --- a/server/auth/types/openid/routes.ts +++ b/server/auth/types/openid/routes.ts @@ -156,14 +156,11 @@ export class OpenIdAuthRoutes { ); // set to cookie - const expirationDate = tokenResponse.idToken - ? getExpirationDate(tokenResponse.idToken) - : Date.now() + tokenResponse.expiresIn! * 1000; const sessionStorage: SecuritySessionCookie = { username: user.username, credentials: { authHeaderValue: `Bearer ${tokenResponse.idToken}`, - expires_at: expirationDate, + expires_at: getExpirationDate(tokenResponse), }, authType: 'openid', expiryTime: Date.now() + this.config.session.ttl,