From b1ade07e0f36c46e2001bab6ab52220b2e82ea3c Mon Sep 17 00:00:00 2001
From: Dante Soares <dante.m.soares@rice.edu>
Date: Tue, 1 Oct 2024 09:57:58 -0500
Subject: [PATCH] Ensure access tokens returned to Assignable have a minimum
 duration of 12 hours (#1259)

---
 app/controllers/api/v1/users_controller.rb       | 15 +++++++++++----
 spec/controllers/api/v1/users_controller_spec.rb |  5 ++++-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb
index 61297754b..2b7038f40 100644
--- a/app/controllers/api/v1/users_controller.rb
+++ b/app/controllers/api/v1/users_controller.rb
@@ -1,5 +1,8 @@
 class Api::V1::UsersController < Api::V1::ApiController
-  SSO_TOKEN_DURATION = 6.hours
+  # New tokens last 1 day
+  SSO_TOKEN_INITIAL_DURATION = 24.hours
+  # Ensure any returned tokens last for at least 12 more hours
+  SSO_TOKEN_MIN_DURATION = 12.hours
 
   resource_description do
     api_versions "v1"
@@ -263,18 +266,22 @@ def get_sso_token(application, user)
       application,
       user.id,
       '',
-      SSO_TOKEN_DURATION,
+      SSO_TOKEN_INITIAL_DURATION,
       false,
     )
 
-    return access_token.token if access_token.created_at > user.updated_at
+    return access_token.token if access_token.created_at > user.updated_at &&
+                                 access_token.revoked_at.nil? && (
+                                   access_token.expires_at.nil? ||
+                                   access_token.expires_at >= Time.current + SSO_TOKEN_MIN_DURATION
+                                 )
 
     # Note: replace with create_for() in  a future Doorkeeper version
     access_token = Doorkeeper::AccessToken.create!(
       application_id: application.id,
       resource_owner_id: user.id,
       scopes: '',
-      expires_in: SSO_TOKEN_DURATION,
+      expires_in: SSO_TOKEN_INITIAL_DURATION,
       use_refresh_token: false
     )
 
diff --git a/spec/controllers/api/v1/users_controller_spec.rb b/spec/controllers/api/v1/users_controller_spec.rb
index 6432ee54f..61a7efd00 100644
--- a/spec/controllers/api/v1/users_controller_spec.rb
+++ b/spec/controllers/api/v1/users_controller_spec.rb
@@ -406,7 +406,10 @@
       sso_hash = SsoCookie.read sso_cookie
       expect(sso_hash['sub']).to eq Api::V1::UserRepresenter.new(new_user).to_hash
       expect(sso_hash['exp']).to be <= (
-        Time.current + Api::V1::UsersController::SSO_TOKEN_DURATION
+        Time.current + Api::V1::UsersController::SSO_TOKEN_INITIAL_DURATION
+      ).to_i
+      expect(sso_hash['exp']).to be >= (
+        Time.current + Api::V1::UsersController::SSO_TOKEN_MIN_DURATION
       ).to_i
 
       # Ensure the Doorkeeper token exists