Mercurial > hg > release > thermostat-1.6
changeset 2030:a26429779377
Fix verified-token removal in TokenManager
PR3210
Reviewed-by: jerboaa
Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2016-October/021425.html
author | Jie Kang <jkang@redhat.com> |
---|---|
date | Wed, 26 Oct 2016 09:11:46 -0400 |
parents | 9fe2266b4fa5 |
children | 5a183ba7be84 |
files | web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java |
diffstat | 2 files changed, 14 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java Wed Oct 12 11:28:56 2016 -0400 +++ b/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java Wed Oct 26 09:11:46 2016 -0400 @@ -85,12 +85,12 @@ return token; } - private void scheduleRemoval(final String clientToken) { + private void scheduleRemoval(final String clientKey) { TimerTask task = new TimerTask() { @Override public void run() { - tokens.remove(clientToken); + tokens.remove(clientKey); } }; timer.schedule(task, timeout); @@ -111,7 +111,7 @@ byte[] storedToken = tokens.get(clientKey); boolean verified = Arrays.equals(candidateToken, storedToken); if (verified) { - tokens.remove(clientToken); + tokens.remove(clientKey); } return verified; }
--- a/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java Wed Oct 12 11:28:56 2016 -0400 +++ b/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java Wed Oct 26 09:11:46 2016 -0400 @@ -91,6 +91,17 @@ } @Test + public void generateTokenCanNotBeReusedTest() { + TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class)); + String clientToken = "something"; + String action = "myAction"; + byte[] token = tokenManager.generateToken(clientToken.getBytes(), action); + assertTrue(tokenManager.verifyToken(clientToken.getBytes(), token, action)); + // try again with same action name, which should not verify + assertFalse(tokenManager.verifyToken(clientToken.getBytes(), token, action)); + } + + @Test public void generateAndVerifyTokenTest() { TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class)); String clientToken = "something";