fix cookie expiration issue when exp claim is zero (#355)

louketo · May 11, 2018 · c7d76df · c7d76df
1 parent 80b2dcb
commit c7d76df
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 1 deletion.
diff --git a/misc.go b/misc.go
@@ -116,7 +116,10 @@ func (r *oauthProxy) getAccessCookieExpiration(token jose.JWT, refresh string) t
 	// refresh token
 	duration := r.config.AccessTokenDuration
 	if _, ident, err := parseToken(refresh); err == nil {
-		duration = time.Until(ident.ExpiresAt)
+		delta := time.Until(ident.ExpiresAt)
+		if delta > 0 {
+			duration = delta
+		}
 	}
 
 	return duration

diff --git a/misc_test.go b/misc_test.go
@@ -18,6 +18,9 @@ package main
 import (
 	"net/http"
 	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestRedirectToAuthorizationUnauthorized(t *testing.T) {
@@ -47,3 +50,60 @@ func TestRedirectToAuthorizationSkipToken(t *testing.T) {
 	c.SkipTokenVerification = true
 	newFakeProxy(c).RunTests(t, requests)
 }
+
+func assertAlmostEquals(t *testing.T, expected time.Duration, actual time.Duration) {
+	delta := expected - actual
+	if delta < 0 {
+		delta = -delta
+	}
+	assert.True(t, delta < time.Duration(1)*time.Minute, "Diff should be less than a minute but delta is %s", delta)
+}
+
+func TestGetAccessCookieExpiration_NoExp(t *testing.T) {
+	token := newTestToken("foo").getToken()
+	refreshToken := token.Encode()
+	c := newFakeKeycloakConfig()
+	c.AccessTokenDuration = time.Duration(1) * time.Hour
+	proxy := newFakeProxy(c).proxy
+	duration := proxy.getAccessCookieExpiration(token, refreshToken)
+	assertAlmostEquals(t, c.AccessTokenDuration, duration)
+}
+
+func TestGetAccessCookieExpiration_ZeroExp(t *testing.T) {
+	ft := newTestToken("foo")
+	ft.setExpiration(time.Unix(0, 0))
+	token := ft.getToken()
+	refreshToken := token.Encode()
+	c := newFakeKeycloakConfig()
+	c.AccessTokenDuration = time.Duration(1) * time.Hour
+	proxy := newFakeProxy(c).proxy
+	duration := proxy.getAccessCookieExpiration(token, refreshToken)
+	assert.True(t, duration > 0, "duration should be positive")
+	assertAlmostEquals(t, c.AccessTokenDuration, duration)
+}
+
+func TestGetAccessCookieExpiration_PastExp(t *testing.T) {
+	ft := newTestToken("foo")
+	ft.setExpiration(time.Now().AddDate(-1, 0, 0))
+	token := ft.getToken()
+	refreshToken := token.Encode()
+	c := newFakeKeycloakConfig()
+	c.AccessTokenDuration = time.Duration(1) * time.Hour
+	proxy := newFakeProxy(c).proxy
+	duration := proxy.getAccessCookieExpiration(token, refreshToken)
+	assertAlmostEquals(t, c.AccessTokenDuration, duration)
+}
+
+func TestGetAccessCookieExpiration_ValidExp(t *testing.T) {
+	ft := newTestToken("foo")
+	token := ft.getToken()
+	refreshToken := token.Encode()
+	c := newFakeKeycloakConfig()
+	c.AccessTokenDuration = time.Duration(1) * time.Hour
+	proxy := newFakeProxy(c).proxy
+	duration := proxy.getAccessCookieExpiration(token, refreshToken)
+	val, ok, _ := ft.claims.TimeClaim("exp")
+	assert.True(t, ok)
+	expectedDuration := time.Until(val)
+	assertAlmostEquals(t, expectedDuration, duration)
+}