Handle token expire/revoke

zooniverse · Jul 31, 2015 · 873b3e5 · 873b3e5
1 parent d296f8d
commit 873b3e5
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 0 deletions.
diff --git a/app/controllers/concerns/action_rescuing.rb b/app/controllers/concerns/action_rescuing.rb
@@ -24,6 +24,8 @@ module ActionRescuing
     rescue_from TalkService::ParameterError, with: :unprocessable
     rescue_from Talk::InvalidParameterError, with: :unprocessable
     rescue_from Talk::BannedUserError, with: :forbidden
+    rescue_from OauthAccessToken::ExpiredError, with: :unauthorized
+    rescue_from OauthAccessToken::RevokedError, with: :unauthorized
   end
 
   def unauthorized(exception)

diff --git a/app/models/oauth_access_token.rb b/app/models/oauth_access_token.rb
@@ -1,3 +1,28 @@
 class OauthAccessToken < ActiveRecord::Base
   belongs_to :resource_owner, class_name: 'User'
+
+  class ExpiredError < StandardError
+    def message; 'Access Token has expired'; end
+    alias_method :to_s, :message
+  end
+
+  class RevokedError < StandardError
+    def message; 'Access Token has been revoked'; end
+    alias_method :to_s, :message
+  end
+
+  def resource_owner
+    super.tap do |user|
+      raise ExpiredError if expired?
+      raise RevokedError if revoked?
+    end
+  end
+
+  def expired?
+    Time.now.utc > created_at + expires_in.seconds
+  end
+
+  def revoked?
+    !!revoked_at
+  end
 end
diff --git a/spec/factories/oauth_access_tokens.rb b/spec/factories/oauth_access_tokens.rb
@@ -5,5 +5,13 @@
     token{ SecureRandom.hex 32 }
     refresh_token{ SecureRandom.hex 32 }
     expires_in 7200
+
+    trait :expired do
+      created_at{ Time.now.utc - expires_in.seconds }
+    end
+
+    trait :revoked do
+      revoked_at{ 1.minute.ago.utc }
+    end
   end
 end
diff --git a/spec/models/oauth_access_token_spec.rb b/spec/models/oauth_access_token_spec.rb
@@ -0,0 +1,47 @@
+require 'spec_helper'
+
+RSpec.describe OauthAccessToken, type: :model do
+  describe '#expired?' do
+    let(:token){ create :oauth_access_token }
+    let(:expired_token){ create :oauth_access_token, :expired }
+
+    it 'should be true for expired tokens' do
+      expect(expired_token).to be_expired
+    end
+
+    it 'should be false for valid tokens' do
+      expect(token).to_not be_expired
+    end
+  end
+
+  describe '#revoked?' do
+    let(:token){ create :oauth_access_token }
+    let(:revoked_token){ create :oauth_access_token, :revoked }
+
+    it 'should be true for revoked tokens' do
+      expect(revoked_token).to be_revoked
+    end
+
+    it 'should be false for valid tokens' do
+      expect(token).to_not be_revoked
+    end
+  end
+
+  describe '#resource_owner' do
+    let(:token){ create :oauth_access_token }
+    let(:expired_token){ create :oauth_access_token, :expired }
+    let(:revoked_token){ create :oauth_access_token, :revoked }
+
+    it 'should not raise anything with a valid token' do
+      expect{ token.resource_owner }.to_not raise_error
+    end
+
+    it 'should raise if expired' do
+      expect{ expired_token.resource_owner }.to raise_error OauthAccessToken::ExpiredError
+    end
+
+    it 'should raise if revoked' do
+      expect{ revoked_token.resource_owner }.to raise_error OauthAccessToken::RevokedError
+    end
+  end
+end
diff --git a/spec/support/shared_examples_for_controller_rescuing.rb b/spec/support/shared_examples_for_controller_rescuing.rb
@@ -75,4 +75,10 @@ def json_schema_validation_error.to_s; message; end
 
   it_behaves_like 'ActionRescuing',
     Talk::BannedUserError.new, with: 403
+
+  it_behaves_like 'ActionRescuing',
+    OauthAccessToken::ExpiredError.new, with: 401
+
+  it_behaves_like 'ActionRescuing',
+    OauthAccessToken::RevokedError.new, with: 401
 end