From 718a4f3b8b659f88e346442220dd00e8fbd7a20e Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 20 Oct 2014 12:38:23 -0400 Subject: [PATCH] fix(expiry): fix an issue where token expiration checks were too permissive --- app/models/devise_token_auth/concerns/user.rb | 4 ++-- test/models/user_test.rb | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 39a0c2b4e..a8fd1bf79 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -99,8 +99,8 @@ def token_is_current?(token, client_id) self.tokens[client_id]['expiry'] and self.tokens[client_id]['token'] and - # ensure that the token was created within the last two weeks - DateTime.strptime(self.tokens[client_id]['expiry'].to_s, '%s') > DeviseTokenAuth.token_lifespan.ago and + # ensure that the token has not yet expired + DateTime.strptime(self.tokens[client_id]['expiry'].to_s, '%s') > Time.now and # ensure that the token is valid BCrypt::Password.new(self.tokens[client_id]['token']) == token diff --git a/test/models/user_test.rb b/test/models/user_test.rb index cf49a2a48..7dc48231c 100644 --- a/test/models/user_test.rb +++ b/test/models/user_test.rb @@ -37,6 +37,26 @@ class UserTest < ActiveSupport::TestCase end end + describe 'token expiry' do + before do + @user = users(:confirmed_email_user) + @user.skip_confirmation! + @user.save! + + @auth_headers = @user.create_new_auth_token + + @token = @auth_headers['access-token'] + @client_id = @auth_headers['client'] + end + + test 'should properly indicate whether token is current' do + assert @user.token_is_current?(@token, @client_id) + # we want to update the expiry without forcing a cleanup (see below) + @user.tokens[@client_id]['expiry'] = Time.now.to_i - 10.seconds + refute @user.token_is_current?(@token, @client_id) + end + end + describe 'expired tokens are destroyed on save' do before do @user = users(:confirmed_email_user)