Mercurial > hg > release > thermostat-2.0
changeset 2492:afecd793c82f
Fix verified-token removal in TokenManager
Reviewed-by: aazores
Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2016-October/021401.html
author | Omair Majid <omajid@redhat.com> |
---|---|
date | Tue, 25 Oct 2016 15:31:41 -0400 |
parents | ca32ab5d3635 |
children | 49e3ab7f5702 |
files | web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java |
diffstat | 2 files changed, 14 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java Tue Oct 25 12:05:45 2016 +0200 +++ b/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java Tue Oct 25 15:31:41 2016 -0400 @@ -85,12 +85,12 @@ return token; } - private void scheduleRemoval(final String clientToken) { + private void scheduleRemoval(final String clientKey) { TimerTask task = new TimerTask() { @Override public void run() { - tokens.remove(clientToken); + tokens.remove(clientKey); } }; timer.schedule(task, timeout); @@ -111,7 +111,7 @@ byte[] storedToken = tokens.get(clientKey); boolean verified = Arrays.equals(candidateToken, storedToken); if (verified) { - tokens.remove(clientToken); + tokens.remove(clientKey); } return verified; }
--- a/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java Tue Oct 25 12:05:45 2016 +0200 +++ b/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java Tue Oct 25 15:31:41 2016 -0400 @@ -91,6 +91,17 @@ } @Test + public void generateTokenCanNotBeReusedTest() { + TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class)); + String clientToken = "something"; + String action = "myAction"; + byte[] token = tokenManager.generateToken(clientToken.getBytes(), action); + assertTrue(tokenManager.verifyToken(clientToken.getBytes(), token, action)); + // try again with same action name, which should not verify + assertFalse(tokenManager.verifyToken(clientToken.getBytes(), token, action)); + } + + @Test public void generateAndVerifyTokenTest() { TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class)); String clientToken = "something";