Ensure access tokens returned to Assignable have a minimum duration o…

…f 12 hours (#1259)
openstax · Oct 1, 2024 · b1ade07 · b1ade07
1 parent 09a03e6
commit b1ade07
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 5 deletions.
diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb
@@ -1,5 +1,8 @@
 class Api::V1::UsersController < Api::V1::ApiController
-  SSO_TOKEN_DURATION = 6.hours
+  # New tokens last 1 day
+  SSO_TOKEN_INITIAL_DURATION = 24.hours
+  # Ensure any returned tokens last for at least 12 more hours
+  SSO_TOKEN_MIN_DURATION = 12.hours
 
   resource_description do
     api_versions "v1"
@@ -263,18 +266,22 @@ def get_sso_token(application, user)
       application,
       user.id,
       '',
-      SSO_TOKEN_DURATION,
+      SSO_TOKEN_INITIAL_DURATION,
       false,
     )
 
-    return access_token.token if access_token.created_at > user.updated_at
+    return access_token.token if access_token.created_at > user.updated_at &&
+                                 access_token.revoked_at.nil? && (
+                                   access_token.expires_at.nil? ||
+                                   access_token.expires_at >= Time.current + SSO_TOKEN_MIN_DURATION
+                                 )
 
     # Note: replace with create_for() in  a future Doorkeeper version
     access_token = Doorkeeper::AccessToken.create!(
       application_id: application.id,
       resource_owner_id: user.id,
       scopes: '',
-      expires_in: SSO_TOKEN_DURATION,
+      expires_in: SSO_TOKEN_INITIAL_DURATION,
       use_refresh_token: false
     )
 

diff --git a/spec/controllers/api/v1/users_controller_spec.rb b/spec/controllers/api/v1/users_controller_spec.rb
@@ -406,7 +406,10 @@
       sso_hash = SsoCookie.read sso_cookie
       expect(sso_hash['sub']).to eq Api::V1::UserRepresenter.new(new_user).to_hash
       expect(sso_hash['exp']).to be <= (
-        Time.current + Api::V1::UsersController::SSO_TOKEN_DURATION
+        Time.current + Api::V1::UsersController::SSO_TOKEN_INITIAL_DURATION
+      ).to_i
+      expect(sso_hash['exp']).to be >= (
+        Time.current + Api::V1::UsersController::SSO_TOKEN_MIN_DURATION
       ).to_i
 
       # Ensure the Doorkeeper token exists