Register active refreshTokens

solven-eu · Sep 23, 2024 · 6f55bcd · 6f55bcd
1 parent bb3f7d7
commit 6f55bcd
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 0 deletions.
diff --git a/...zation/src/main/java/eu/solven/kumite/oauth2/authorizationserver/ActiveRefreshTokens.java b/...zation/src/main/java/eu/solven/kumite/oauth2/authorizationserver/ActiveRefreshTokens.java
@@ -0,0 +1,19 @@
+package eu.solven.kumite.oauth2.authorizationserver;
+
+import java.util.Map;
+import java.util.Set;
+import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentSkipListSet;
+
+public class ActiveRefreshTokens {
+	final Map<UUID, Set<UUID>> accountIdToJti = new ConcurrentHashMap<>();
+
+	public void touchRefreshToken(UUID accountId, UUID jti) {
+		accountIdToJti.computeIfAbsent(accountId, k -> new ConcurrentSkipListSet<>()).add(jti);
+	}
+
+	public Set<UUID> getActiveTokens(UUID accountId) {
+		return accountIdToJti.getOrDefault(accountId, Set.of());
+	}
+}
diff --git a/server/src/main/java/eu/solven/kumite/app/webflux/KumiteWebFluxConfiguration.java b/server/src/main/java/eu/solven/kumite/app/webflux/KumiteWebFluxConfiguration.java
@@ -11,6 +11,7 @@
 import eu.solven.kumite.contest.ContestHandler;
 import eu.solven.kumite.game.GameSearchHandler;
 import eu.solven.kumite.leaderboard.LeaderboardHandler;
+import eu.solven.kumite.oauth2.authorizationserver.ActiveRefreshTokens;
 import eu.solven.kumite.oauth2.authorizationserver.KumiteTokenService;
 import eu.solven.kumite.webhook.WebhooksHandler;
 import lombok.extern.slf4j.Slf4j;
@@ -29,6 +30,7 @@
 
 		KumiteLoginRouter.class,
 		AccessTokenHandler.class,
+		ActiveRefreshTokens.class,
 
 		// The contest-server generate its own RefreshTokens and AccessTokens (hence it acts as its own
 		// AuthroizationServer)

diff --git a/server/src/main/java/eu/solven/kumite/app/webflux/api/AccessTokenHandler.java b/server/src/main/java/eu/solven/kumite/app/webflux/api/AccessTokenHandler.java
@@ -14,6 +14,7 @@
 import eu.solven.kumite.account.KumiteUser;
 import eu.solven.kumite.account.KumiteUsersRegistry;
 import eu.solven.kumite.login.AccessTokenWrapper;
+import eu.solven.kumite.oauth2.authorizationserver.ActiveRefreshTokens;
 import eu.solven.kumite.oauth2.authorizationserver.KumiteTokenService;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -26,6 +27,8 @@ public class AccessTokenHandler {
 	final KumiteTokenService kumiteTokenService;
 	final KumiteUsersRegistry usersRegistry;
 
+	final ActiveRefreshTokens activeRefreshTokens;
+
 	// This route has to be authenticated with a refresh_token as access_token. This is not standard following OAuth2,
 	// but to do it clean, we would need any way to provide a separate Authentication Server.
 	public Mono<ServerResponse> getAccessToken(ServerRequest request) {
@@ -58,6 +61,8 @@ private KumiteUser userFromRefreshTokenJwt(Authentication authentication) {
 
 		UUID accountId = UUID.fromString(jwt.getSubject());
 
+		activeRefreshTokens.touchRefreshToken(accountId, UUID.fromString(jwt.getId()));
+
 		KumiteUser user = usersRegistry.getUser(accountId);
 		log.debug("We loaded {} from jti={}", user, jwt.getId());
 		return user;

diff --git a/server/src/test/java/eu/solven/kumite/app/it/security/KumiteServerSecurityApplication.java b/server/src/test/java/eu/solven/kumite/app/it/security/KumiteServerSecurityApplication.java
@@ -16,6 +16,7 @@
 import eu.solven.kumite.app.webflux.api.GreetingHandler;
 import eu.solven.kumite.app.webflux.api.KumiteLoginRouter;
 import eu.solven.kumite.app.webflux.api.KumiteSpaRouter;
+import eu.solven.kumite.oauth2.authorizationserver.ActiveRefreshTokens;
 import eu.solven.kumite.player.persistence.BijectiveAccountPlayersRegistry;
 import eu.solven.kumite.security.KumiteSecurity;
 import eu.solven.kumite.tools.KumiteRandomConfiguration;
@@ -34,6 +35,7 @@
 		KumiteLoginRouter.class,
 		PlayerVerifierFilterFunction.class,
 		AccessTokenHandler.class,
+		ActiveRefreshTokens.class,
 
 		// IAccountPlayersRegistry is needed as security often checks the players of an account
 		BijectiveAccountPlayersRegistry.class,

diff --git a/settings.xml b/settings.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
+    <profiles>
+        <profile>
+            <!-- https://devcenter.heroku.com/articles/using-a-custom-maven-settings-xml -->
+            <id>heroku</id>
+            <activation>
+                <activeByDefault>true</activeByDefault>
+            </activation>
+            <properties>
+                <!-- https://github.com/git-commit-id/git-commit-id-maven-plugin/issues/279 -->
+                <!-- https://gist.github.com/tmullin/bd17e3a05607d2b11349ef73ebbca84d -->
+                <maven.gitcommitid.skip>true</maven.gitcommitid.skip>
+            </properties>
+        </profile>
+    </profiles>
+</settings>