Change token auth provider usage of created to invaliated_tokens (#27614

)
elastic · Jan 10, 2019 · ff5b0e8 · ff5b0e8
1 parent 8361b82
commit ff5b0e8
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 9 deletions.
diff --git a/x-pack/plugins/security/server/lib/authentication/providers/__tests__/token.js b/x-pack/plugins/security/server/lib/authentication/providers/__tests__/token.js
@@ -424,7 +424,7 @@ describe('TokenAuthenticationProvider', () => {
 
         callWithInternalUser
           .withArgs('shield.deleteAccessToken', { body: { token: accessToken } })
-          .returns({ created: true });
+          .returns({ invalidated_tokens: 1 });
 
         const failureReason = new Error('failed to delete token');
         callWithInternalUser
@@ -451,11 +451,11 @@ describe('TokenAuthenticationProvider', () => {
 
         callWithInternalUser
           .withArgs('shield.deleteAccessToken', { body: { token: accessToken } })
-          .returns({ created: true });
+          .returns({ invalidated_tokens: 1 });
 
         callWithInternalUser
           .withArgs('shield.deleteAccessToken', { body: { refresh_token: refreshToken } })
-          .returns({ created: true });
+          .returns({ invalidated_tokens: 1 });
 
         const authenticationResult = await provider.deauthenticate(request, { accessToken, refreshToken });
 

diff --git a/x-pack/plugins/security/server/lib/authentication/providers/token.js b/x-pack/plugins/security/server/lib/authentication/providers/token.js
@@ -119,27 +119,35 @@ export class TokenAuthenticationProvider {
 
     try {
       // First invalidate the access token.
-      const { created: deletedAccessToken } = await this._options.client.callWithInternalUser(
+      const { invalidated_tokens: invalidatedAccessTokensCount } = await this._options.client.callWithInternalUser(
         'shield.deleteAccessToken',
         { body: { token: state.accessToken } }
       );
 
-      if (deletedAccessToken) {
+      if (invalidatedAccessTokensCount === 0) {
+        this._options.log(['debug', 'security', 'token'], 'User access token was already invalidated.');
+      } else if (invalidatedAccessTokensCount === 1) {
         this._options.log(['debug', 'security', 'token'], 'User access token has been successfully invalidated.');
       } else {
-        this._options.log(['debug', 'security', 'token'], 'User access token was already invalidated.');
+        this._options.log(['debug', 'security', 'token'],
+          `${invalidatedAccessTokensCount} user access tokens were invalidated, this is unexpected.`
+        );
       }
 
       // Then invalidate the refresh token.
-      const { created: deletedRefreshToken } = await this._options.client.callWithInternalUser(
+      const { invalidated_tokens: invalidatedRefreshTokensCount } = await this._options.client.callWithInternalUser(
         'shield.deleteAccessToken',
         { body: { refresh_token: state.refreshToken } }
       );
 
-      if (deletedRefreshToken) {
+      if (invalidatedRefreshTokensCount === 0) {
+        this._options.log(['debug', 'security', 'token'], 'User refresh token was already invalidated.');
+      } else if (invalidatedRefreshTokensCount === 1) {
         this._options.log(['debug', 'security', 'token'], 'User refresh token has been successfully invalidated.');
       } else {
-        this._options.log(['debug', 'security', 'token'], 'User refresh token was already invalidated.');
+        this._options.log(['debug', 'security', 'token'],
+          `${invalidatedRefreshTokensCount} user refresh tokens were invalidated, this is unexpected.`
+        );
       }
 
       return DeauthenticationResult.redirectTo(