From 8154e60682bbb30e12aca26c9b89c571ac69e628 Mon Sep 17 00:00:00 2001 From: Rein Krul Date: Fri, 8 Dec 2023 14:53:55 +0100 Subject: [PATCH] make accesstoken store not s2s-specific --- auth/api/iam/api.go | 10 +++++++++- auth/api/iam/api_test.go | 6 +++--- auth/api/iam/s2s_vptoken.go | 10 +--------- auth/api/iam/s2s_vptoken_test.go | 2 +- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/auth/api/iam/api.go b/auth/api/iam/api.go index 21dd71902c..b406f0e4d0 100644 --- a/auth/api/iam/api.go +++ b/auth/api/iam/api.go @@ -49,6 +49,10 @@ const apiPath = "iam" const apiModuleName = auth.ModuleName + "/" + apiPath const httpRequestContextKey = "http-request" +// accessTokenValidity defines how long access tokens are valid. +// TODO: Might want to make this configurable at some point +const accessTokenValidity = 15 * time.Minute + //go:embed assets var assets embed.FS @@ -167,7 +171,7 @@ func (r Wrapper) IntrospectAccessToken(ctx context.Context, request IntrospectAc } token := AccessToken{} - if err := r.s2sAccessTokenStore().Get(request.Body.Token, &token); err != nil { + if err := r.accessTokenStore().Get(request.Body.Token, &token); err != nil { // Return 200 + 'Active = false' when token is invalid or malformed return IntrospectAccessToken200JSONResponse{}, err } @@ -391,3 +395,7 @@ func (r Wrapper) idToDID(id string) did.DID { result, _ := didweb.URLToDID(*r.auth.PublicURL().JoinPath("iam", id)) return *result } + +func (r *Wrapper) accessTokenStore() storage.SessionStore { + return r.storageEngine.GetSessionDatabase().GetStore(accessTokenValidity, "accesstoken") +} diff --git a/auth/api/iam/api_test.go b/auth/api/iam/api_test.go index 914b832fbb..aecbe8f645 100644 --- a/auth/api/iam/api_test.go +++ b/auth/api/iam/api_test.go @@ -247,7 +247,7 @@ func TestWrapper_IntrospectAccessToken(t *testing.T) { }) t.Run("error - expired token", func(t *testing.T) { token := AccessToken{Expiration: time.Now().Add(-time.Second)} - require.NoError(t, ctx.client.s2sAccessTokenStore().Put("token", token)) + require.NoError(t, ctx.client.accessTokenStore().Put("token", token)) res, err := ctx.client.IntrospectAccessToken(context.Background(), IntrospectAccessTokenRequestObject{Body: &TokenIntrospectionRequest{Token: "token"}}) @@ -256,7 +256,7 @@ func TestWrapper_IntrospectAccessToken(t *testing.T) { }) t.Run("ok", func(t *testing.T) { token := AccessToken{Expiration: time.Now().Add(time.Second)} - require.NoError(t, ctx.client.s2sAccessTokenStore().Put("token", token)) + require.NoError(t, ctx.client.accessTokenStore().Put("token", token)) res, err := ctx.client.IntrospectAccessToken(context.Background(), IntrospectAccessTokenRequestObject{Body: &TokenIntrospectionRequest{Token: "token"}}) @@ -287,7 +287,7 @@ func TestWrapper_IntrospectAccessToken(t *testing.T) { PresentationDefinition: &pe.PresentationDefinition{}, } - require.NoError(t, ctx.client.s2sAccessTokenStore().Put(token.Token, token)) + require.NoError(t, ctx.client.accessTokenStore().Put(token.Token, token)) expectedResponse, err := json.Marshal(IntrospectAccessToken200JSONResponse{ Active: true, ClientId: ptrTo("client"), diff --git a/auth/api/iam/s2s_vptoken.go b/auth/api/iam/s2s_vptoken.go index 55770507c6..544b8bff73 100644 --- a/auth/api/iam/s2s_vptoken.go +++ b/auth/api/iam/s2s_vptoken.go @@ -35,10 +35,6 @@ import ( "github.com/nuts-foundation/nuts-node/vdr/resolver" ) -// accessTokenValidity defines how long access tokens are valid. -// TODO: Might want to make this configurable at some point -const accessTokenValidity = 15 * time.Minute - // s2sMaxPresentationValidity defines the maximum validity of a presentation. // This is to prevent replay attacks. The value is specified by Nuts RFC021, and excludes max. clock skew. const s2sMaxPresentationValidity = 5 * time.Second @@ -165,7 +161,7 @@ func (r *Wrapper) createS2SAccessToken(issuer did.DID, issueTime time.Time, pres PresentationDefinition: &definition, PresentationSubmission: &submission, } - err = r.s2sAccessTokenStore().Put(accessToken.Token, accessToken) + err = r.accessTokenStore().Put(accessToken.Token, accessToken) if err != nil { return nil, fmt.Errorf("unable to store access token: %w", err) } @@ -312,10 +308,6 @@ func (r *Wrapper) validatePresentationAudience(presentation vc.VerifiablePresent } } -func (r *Wrapper) s2sAccessTokenStore() storage.SessionStore { - return r.storageEngine.GetSessionDatabase().GetStore(accessTokenValidity, "s2s", "accesstoken") -} - type AccessToken struct { Token string // Issuer and Subject of a token are always the same. diff --git a/auth/api/iam/s2s_vptoken_test.go b/auth/api/iam/s2s_vptoken_test.go index 3502703eef..774c8d8afe 100644 --- a/auth/api/iam/s2s_vptoken_test.go +++ b/auth/api/iam/s2s_vptoken_test.go @@ -418,7 +418,7 @@ func TestWrapper_createAccessToken(t *testing.T) { assert.Equal(t, "everything", *accessToken.Scope) var storedToken AccessToken - err = ctx.client.s2sAccessTokenStore().Get(accessToken.AccessToken, &storedToken) + err = ctx.client.accessTokenStore().Get(accessToken.AccessToken, &storedToken) require.NoError(t, err) assert.Equal(t, accessToken.AccessToken, storedToken.Token) assert.Equal(t, submission, *storedToken.PresentationSubmission)