Fix token validation logic for long-term tokens (#209)

* Fix token validation logic for long-term tokens * Fix token inspection logic and add logging for token refresh
hms-dbmi · Sep 16, 2024 · a66011a · a66011a
1 parent 706f057
commit a66011a
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/...-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/TokenService.java b/...-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/TokenService.java
@@ -183,7 +183,10 @@ private TokenInspection validateToken(Map<String, Object> inputMap) throws Illeg
                 errorMsg = "User doesn't have enough privileges.";
         }
 
-        if (isAuthorizationPassed) {
+        if (isLongTermToken && isAuthorizationPassed) {
+            // The long term token is not automatically refreshed, so we don't need to check the expiration time
+            tokenInspection.addField("active", true);
+        } else if (isAuthorizationPassed) {
             tokenInspection.addField("active", true);
             ArrayList<String> roles = new ArrayList<>();
             for (Privilege p : user.getTotalPrivilege()) {
@@ -194,6 +197,7 @@ private TokenInspection validateToken(Map<String, Object> inputMap) throws Illeg
             // Refresh Token
             Date expiration = jws.getPayload().getExpiration();
             if (jwtUtil.shouldRefreshToken(expiration, tokenExpirationTime)) {
+                logger.info("_inspectToken() Token is about to expire, refreshing token...");
                 RefreshToken refreshResponse = refreshToken(token);
                 if (refreshResponse instanceof ValidRefreshToken validRefreshToken) {
                     tokenInspection.addField("token", validRefreshToken.token());