Mercurial > hg > release > thermostat-1.4
changeset 1857:2688e5557fc8 default tip
Fix verified-token removal in TokenManager
PR3215
Reviewed-by: neugens
Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2016-October/021471.html
author | Jie Kang <jkang@redhat.com> |
---|---|
date | Mon, 31 Oct 2016 10:36:02 -0400 |
parents | 85f97ddaa4b3 |
children | |
files | web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java |
diffstat | 2 files changed, 14 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java Thu Jun 30 10:58:21 2016 -0400 +++ b/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java Mon Oct 31 10:36:02 2016 -0400 @@ -85,12 +85,12 @@ return token; } - private void scheduleRemoval(final String clientToken) { + private void scheduleRemoval(final String clientKey) { TimerTask task = new TimerTask() { @Override public void run() { - tokens.remove(clientToken); + tokens.remove(clientKey); } }; timer.schedule(task, timeout); @@ -111,7 +111,7 @@ byte[] storedToken = tokens.get(clientKey); boolean verified = Arrays.equals(candidateToken, storedToken); if (verified) { - tokens.remove(clientToken); + tokens.remove(clientKey); } return verified; }
--- a/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java Thu Jun 30 10:58:21 2016 -0400 +++ b/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java Mon Oct 31 10:36:02 2016 -0400 @@ -91,6 +91,17 @@ } @Test + public void generateTokenCanNotBeReusedTest() { + TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class)); + String clientToken = "something"; + String action = "myAction"; + byte[] token = tokenManager.generateToken(clientToken.getBytes(), action); + assertTrue(tokenManager.verifyToken(clientToken.getBytes(), token, action)); + // try again with same action name, which should not verify + assertFalse(tokenManager.verifyToken(clientToken.getBytes(), token, action)); + } + + @Test public void generateAndVerifyTokenTest() { TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class)); String clientToken = "something";