# HG changeset patch
# User Jie Kang <jkang@redhat.com>
# Date 1477924562 14400
# Node ID 2688e5557fc8d200c0b4786f1cbe96ddaa93f4f9
# Parent  85f97ddaa4b3b5ad652bd75694a60194cd0ac81e
Fix verified-token removal in TokenManager

PR3215

Reviewed-by: neugens
Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2016-October/021471.html

diff -r 85f97ddaa4b3 -r 2688e5557fc8 web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java
--- a/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java	Thu Jun 30 10:58:21 2016 -0400
+++ b/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java	Mon Oct 31 10:36:02 2016 -0400
@@ -85,12 +85,12 @@
         return token;
     }
 
-    private void scheduleRemoval(final String clientToken) {
+    private void scheduleRemoval(final String clientKey) {
         TimerTask task = new TimerTask() {
             
             @Override
             public void run() {
-                tokens.remove(clientToken);
+                tokens.remove(clientKey);
             }
         };
         timer.schedule(task, timeout);
@@ -111,7 +111,7 @@
             byte[] storedToken = tokens.get(clientKey);
             boolean verified = Arrays.equals(candidateToken, storedToken);
             if (verified) {
-                tokens.remove(clientToken);
+                tokens.remove(clientKey);
             }
             return verified;
         }
diff -r 85f97ddaa4b3 -r 2688e5557fc8 web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java
--- a/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java	Thu Jun 30 10:58:21 2016 -0400
+++ b/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java	Mon Oct 31 10:36:02 2016 -0400
@@ -91,6 +91,17 @@
     }
     
     @Test
+    public void generateTokenCanNotBeReusedTest() {
+        TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class));
+        String clientToken = "something";
+        String action = "myAction";
+        byte[] token = tokenManager.generateToken(clientToken.getBytes(), action);
+        assertTrue(tokenManager.verifyToken(clientToken.getBytes(), token, action));
+        // try again with same action name, which should not verify
+        assertFalse(tokenManager.verifyToken(clientToken.getBytes(), token, action));
+    }
+
+    @Test
     public void generateAndVerifyTokenTest() {
         TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class));
         String clientToken = "something";