Introduce tokenRefreshedAfterLogin option to disable revokation mecha…

…nism.
Webador · Apr 11, 2018 · dadc0cb · dadc0cb
1 parent c591d7b
commit dadc0cb
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 3 deletions.
diff --git a/config/jwpersistentuser.local.php.dist b/config/jwpersistentuser.local.php.dist
@@ -1,5 +1,6 @@
 <?php return [
     'jwpersistentuser' => [
-        'serieTokenEntityClass' => 'User\Model\SerieToken'
+        'serieTokenEntityClass' => 'User\Model\SerieToken',
+        'tokenRefreshedAfterLogin' => true,
     ]
 ];
diff --git a/src/JwPersistentUser/Model/ModuleOptions.php b/src/JwPersistentUser/Model/ModuleOptions.php
@@ -11,6 +11,19 @@ class ModuleOptions extends AbstractOptions
      */
     protected $serieTokenEntityClass = 'JwPersistentUser\Model\SerieToken';
 
+    /**
+     * When enabled we will refresh the token each time it is used.
+     *
+     * If somebody were to hijack a session of an active user; this would eventually lead to this token being revoked.
+     *
+     * However: the big downside to this approach is that a token will also be revoked if a user did not receive
+     * the (cookie's in the) response from the server. For example because the page loaded slow and he or she closed
+     * the tab.
+     *
+     * @var bool
+     */
+    protected $tokenRefreshedAfterLogin = true;
+
     /**
      * @return string
      */
@@ -28,4 +41,20 @@ public function setSerieTokenEntityClass($serieTokenEntityClass)
         $this->serieTokenEntityClass = $serieTokenEntityClass;
         return $this;
     }
+
+    /**
+     * @return bool
+     */
+    public function isTokenRefreshedAfterLogin()
+    {
+        return $this->tokenRefreshedAfterLogin;
+    }
+
+    /**
+     * @param bool $tokenRefreshedAfterLogin
+     */
+    public function setTokenRefreshedAfterLogin($tokenRefreshedAfterLogin)
+    {
+        $this->tokenRefreshedAfterLogin = $tokenRefreshedAfterLogin;
+    }
 }
diff --git a/src/JwPersistentUser/Service/RememberMeService.php b/src/JwPersistentUser/Service/RememberMeService.php
@@ -76,9 +76,13 @@ public function getNextInSerie(SerieTokenInterface $serieToken)
             return null;
         }
 
-        // Generate new token in the serie
-        $matchingSerieToken->setToken($this->generateRandom());
+        if ($this->moduleOptions->isTokenRefreshedAfterLogin()) {
+            // Generate new token in the serie
+            $matchingSerieToken->setToken($this->generateRandom());
+        }
+
         $matchingSerieToken->setExpiresAt($this->getNewExpireDate());
+
         $this->getMapper()->persist($matchingSerieToken);
 
         return $matchingSerieToken;

diff --git a/tests/src/JwPersistentUserTest/Service/RememberMeServiceTest.php b/tests/src/JwPersistentUserTest/Service/RememberMeServiceTest.php
@@ -89,6 +89,21 @@ public function testGetNextSerie()
 
         $nextSerie = $this->service->getNextInSerie($serie);
 
+        $this->assertSame($serie, $nextSerie);
+        $this->assertEquals('def', $serie->getToken());
+
+        $this->assertDateTimeEquals(new \DateTime('+1 year'), $serie->getExpiresAt());
+    }
+
+    public function testGetNextSerieWhenRefreshEnabled()
+    {
+        $this->options->setTokenRefreshedAfterLogin(true);
+
+        $this->assumeSerie($serie = new SerieToken(3, 'abc', 'def'));
+        $serie->setExpiresAt(new \DateTime('tomorrow'));
+
+        $nextSerie = $this->service->getNextInSerie($serie);
+
         $this->assertSame($serie, $nextSerie);
         $this->assertNotEquals('def', $serie->getToken());