Backport the validation handler changes to OpenIddict 1.x

8 years ago · a941734521
2 changed files with 60 additions and 0 deletions
--- a/src/OpenIddict.Validation/Internal/OpenIddictValidationProvider.cs
+++ b/src/OpenIddict.Validation/Internal/OpenIddictValidationProvider.cs
@ -70,6 +70,15 @@ namespace OpenIddict.Validation
                    return;
                }

+                // Ensure the access token is still valid (i.e was not marked as revoked).
+                if (!await manager.IsValidAsync(token))
+                {
+                    logger.LogError("Authentication failed because the access token was no longer valid.");
+
+                    context.HandleResponse();
+                    return;
+                }
+
                var ticket = context.DataFormat.Unprotect(payload);
                if (ticket == null)
                {
--- a/test/OpenIddict.Validation.Tests/Internal/OpenIddictValidationProviderTests.cs
+++ b/test/OpenIddict.Validation.Tests/Internal/OpenIddictValidationProviderTests.cs
@ -134,6 +134,50 @@ namespace OpenIddict.Validation.Tests
            Mock.Get(manager).Verify(mock => mock.GetPayloadAsync(token, It.IsAny<CancellationToken>()), Times.Once());
        }

+        [Fact]
+        public async Task DecryptToken_ReturnsFailedResultForReferenceTokenWithInvalidStatus()
+        {
+            // Arrange
+            var token = new OpenIddictToken();
+
+            var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
+            format.Setup(mock => mock.Unprotect("valid-reference-token-payload"))
+                .Returns(value: null);
+
+            var manager = CreateTokenManager(instance =>
+            {
+                instance.Setup(mock => mock.FindByReferenceIdAsync("valid-reference-token-id", It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(token);
+
+                instance.Setup(mock => mock.GetPayloadAsync(token, It.IsAny<CancellationToken>()))
+                    .Returns(new ValueTask<string>("valid-reference-token-payload"));
+
+                instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(false);
+            });
+
+            var server = CreateResourceServer(builder =>
+            {
+                builder.Services.AddSingleton(manager);
+            });
+
+            var client = server.CreateClient();
+
+            var request = new HttpRequestMessage(HttpMethod.Get, "/");
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "valid-reference-token-id");
+
+            // Act
+            var response = await client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+
+            Mock.Get(manager).Verify(mock => mock.FindByReferenceIdAsync("valid-reference-token-id", It.IsAny<CancellationToken>()), Times.Once());
+            Mock.Get(manager).Verify(mock => mock.GetPayloadAsync(token, It.IsAny<CancellationToken>()), Times.Once());
+            Mock.Get(manager).Verify(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()), Times.Once());
+            format.Verify(mock => mock.Unprotect("valid-reference-token-payload"), Times.Never());
+        }
+
        [Fact]
        public async Task DecryptToken_ReturnsFailedResultForInvalidReferenceTokenPayload()
        {
@ -151,6 +195,9 @@ namespace OpenIddict.Validation.Tests

                instance.Setup(mock => mock.GetPayloadAsync(token, It.IsAny<CancellationToken>()))
                    .Returns(new ValueTask<string>("invalid-reference-token-payload"));
+
+                instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(true);
            });

            var server = CreateResourceServer(builder =>
@ -172,6 +219,7 @@ namespace OpenIddict.Validation.Tests

            Mock.Get(manager).Verify(mock => mock.FindByReferenceIdAsync("valid-reference-token-id", It.IsAny<CancellationToken>()), Times.Once());
            Mock.Get(manager).Verify(mock => mock.GetPayloadAsync(token, It.IsAny<CancellationToken>()), Times.Once());
+            Mock.Get(manager).Verify(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()), Times.Once());
            format.Verify(mock => mock.Unprotect("invalid-reference-token-payload"), Times.Once());
        }

@ -202,6 +250,9 @@ namespace OpenIddict.Validation.Tests
                instance.Setup(mock => mock.GetPayloadAsync(token, It.IsAny<CancellationToken>()))
                    .Returns(new ValueTask<string>("valid-reference-token-payload"));

+                instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(true);
+
                instance.Setup(mock => mock.GetCreationDateAsync(token, It.IsAny<CancellationToken>()))
                    .Returns(new ValueTask<DateTimeOffset?>(new DateTimeOffset(2018, 01, 01, 00, 00, 00, TimeSpan.Zero)));