From 3b295844f9633cdce1f7524ec78bcfda65990dbe Mon Sep 17 00:00:00 2001
From: Morgan Martinet <morgan.martinet@ville.montreal.qc.ca>
Date: Tue, 8 May 2018 22:51:09 -0400
Subject: [PATCH] fix cookie expiration issue when exp claim is zero

---
 misc.go      |  5 ++++-
 misc_test.go | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/misc.go b/misc.go
index f279d3c59..b8009c7ba 100644
--- a/misc.go
+++ b/misc.go
@@ -116,7 +116,10 @@ func (r *oauthProxy) getAccessCookieExpiration(token jose.JWT, refresh string) t
 	// refresh token
 	duration := r.config.AccessTokenDuration
 	if _, ident, err := parseToken(refresh); err == nil {
-		duration = time.Until(ident.ExpiresAt)
+		delta := time.Until(ident.ExpiresAt)
+		if delta > 0 {
+			duration = delta
+		}
 	}
 
 	return duration
diff --git a/misc_test.go b/misc_test.go
index 9adb121f6..7136479da 100644
--- a/misc_test.go
+++ b/misc_test.go
@@ -18,6 +18,9 @@ package main
 import (
 	"net/http"
 	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestRedirectToAuthorizationUnauthorized(t *testing.T) {
@@ -47,3 +50,60 @@ func TestRedirectToAuthorizationSkipToken(t *testing.T) {
 	c.SkipTokenVerification = true
 	newFakeProxy(c).RunTests(t, requests)
 }
+
+func assertAlmostEquals(t *testing.T, expected time.Duration, actual time.Duration) {
+	delta := expected - actual
+	if delta < 0 {
+		delta = -delta
+	}
+	assert.True(t, delta < time.Duration(1)*time.Minute, "Diff should be less than a minute but delta is %s", delta)
+}
+
+func TestGetAccessCookieExpiration_NoExp(t *testing.T) {
+	token := newTestToken("foo").getToken()
+	refreshToken := token.Encode()
+	c := newFakeKeycloakConfig()
+	c.AccessTokenDuration = time.Duration(1) * time.Hour
+	proxy := newFakeProxy(c).proxy
+	duration := proxy.getAccessCookieExpiration(token, refreshToken)
+	assertAlmostEquals(t, c.AccessTokenDuration, duration)
+}
+
+func TestGetAccessCookieExpiration_ZeroExp(t *testing.T) {
+	ft := newTestToken("foo")
+	ft.setExpiration(time.Unix(0, 0))
+	token := ft.getToken()
+	refreshToken := token.Encode()
+	c := newFakeKeycloakConfig()
+	c.AccessTokenDuration = time.Duration(1) * time.Hour
+	proxy := newFakeProxy(c).proxy
+	duration := proxy.getAccessCookieExpiration(token, refreshToken)
+	assert.True(t, duration > 0, "duration should be positive")
+	assertAlmostEquals(t, c.AccessTokenDuration, duration)
+}
+
+func TestGetAccessCookieExpiration_PastExp(t *testing.T) {
+	ft := newTestToken("foo")
+	ft.setExpiration(time.Now().AddDate(-1, 0, 0))
+	token := ft.getToken()
+	refreshToken := token.Encode()
+	c := newFakeKeycloakConfig()
+	c.AccessTokenDuration = time.Duration(1) * time.Hour
+	proxy := newFakeProxy(c).proxy
+	duration := proxy.getAccessCookieExpiration(token, refreshToken)
+	assertAlmostEquals(t, c.AccessTokenDuration, duration)
+}
+
+func TestGetAccessCookieExpiration_ValidExp(t *testing.T) {
+	ft := newTestToken("foo")
+	token := ft.getToken()
+	refreshToken := token.Encode()
+	c := newFakeKeycloakConfig()
+	c.AccessTokenDuration = time.Duration(1) * time.Hour
+	proxy := newFakeProxy(c).proxy
+	duration := proxy.getAccessCookieExpiration(token, refreshToken)
+	val, ok, _ := ft.claims.TimeClaim("exp")
+	assert.True(t, ok)
+	expectedDuration := time.Until(val)
+	assertAlmostEquals(t, expectedDuration, duration)
+}