# HG changeset patch
# User Jie Kang <jkang@redhat.com>
# Date 1477487506 14400
# Node ID a26429779377d98fcf07664d767f9d3400043eed
# Parent  9fe2266b4fa55eb78d372e634790878f328303f5
Fix verified-token removal in TokenManager

PR3210

Reviewed-by: jerboaa
Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2016-October/021425.html

diff -r 9fe2266b4fa5 -r a26429779377 web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java
--- a/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java	Wed Oct 12 11:28:56 2016 -0400
+++ b/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java	Wed Oct 26 09:11:46 2016 -0400
@@ -85,12 +85,12 @@
         return token;
     }
 
-    private void scheduleRemoval(final String clientToken) {
+    private void scheduleRemoval(final String clientKey) {
         TimerTask task = new TimerTask() {
             
             @Override
             public void run() {
-                tokens.remove(clientToken);
+                tokens.remove(clientKey);
             }
         };
         timer.schedule(task, timeout);
@@ -111,7 +111,7 @@
             byte[] storedToken = tokens.get(clientKey);
             boolean verified = Arrays.equals(candidateToken, storedToken);
             if (verified) {
-                tokens.remove(clientToken);
+                tokens.remove(clientKey);
             }
             return verified;
         }
diff -r 9fe2266b4fa5 -r a26429779377 web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java
--- a/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java	Wed Oct 12 11:28:56 2016 -0400
+++ b/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java	Wed Oct 26 09:11:46 2016 -0400
@@ -91,6 +91,17 @@
     }
     
     @Test
+    public void generateTokenCanNotBeReusedTest() {
+        TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class));
+        String clientToken = "something";
+        String action = "myAction";
+        byte[] token = tokenManager.generateToken(clientToken.getBytes(), action);
+        assertTrue(tokenManager.verifyToken(clientToken.getBytes(), token, action));
+        // try again with same action name, which should not verify
+        assertFalse(tokenManager.verifyToken(clientToken.getBytes(), token, action));
+    }
+
+    @Test
     public void generateAndVerifyTokenTest() {
         TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class));
         String clientToken = "something";