[opw-web] Auth: handle expired tokens



commit fb58028b591114fb1d2526ad801e928368118b0b
Author: Owen W. Taylor <otaylor fishsoup net>
Date:   Mon Feb 8 18:15:25 2016 -0500

    Auth: handle expired tokens
    
    Because of interactions between HybridAuth sessions and application sessions,
    we can have a state where we have a HybridAuth session, but the credential is
    expired, and we don't have a refresh token. In this case, we need to reauthenticate,
    rather than proceeding. Add an isExpired() method to the provider adapter and
    model, so that the authenticate() method of the Auth object can identify this
    situation and start over.

 auth/Hybrid/Auth.php                  |   30 +++++++++++++++++-------------
 auth/Hybrid/Provider_Adapter.php      |   10 ++++++++++
 auth/Hybrid/Provider_Model.php        |   10 ++++++++++
 auth/Hybrid/Provider_Model_OAuth2.php |    7 ++++++-
 4 files changed, 43 insertions(+), 14 deletions(-)
---
diff --git a/auth/Hybrid/Auth.php b/auth/Hybrid/Auth.php
index 23c778f..d0be078 100644
--- a/auth/Hybrid/Auth.php
+++ b/auth/Hybrid/Auth.php
@@ -208,22 +208,26 @@ class Hybrid_Auth
        {
                Hybrid_Logger::info( "Enter Hybrid_Auth::authenticate( $providerId )" );
 
-               // if user not connected to $providerId then try setup a new adapter and start the login 
process for this provider
-               if( ! Hybrid_Auth::storage()->get( "hauth_session.$providerId.is_logged_in" ) ){ 
-                       Hybrid_Logger::info( "Hybrid_Auth::authenticate( $providerId ), User not connected to 
the provider. Try to authenticate.." );
+               if( Hybrid_Auth::storage()->get( "hauth_session.$providerId.is_logged_in" ) ){
+            // If we're already connect to $providerIder, return the adapter instance for the given provider,
+            // unless it is expired
+                       $provider_adapter = Hybrid_Auth::getAdapter( $providerId );
+            if( ! $provider_adapter->isExpired()) {
+                Hybrid_Logger::info( "Hybrid_Auth::authenticate( $providerId ), User is already connected to 
this provider. Return the adapter" );
+                 return $provider_adapter;
+            } else {
+                Hybrid_Logger::info( "Hybrid_Auth::authenticate( $providerId ), User is connected to this 
provider with expired credentials. Starting over" );
+                $provider_adapter->setUserUnconnected();
+            }
+        }
 
-                       $provider_adapter = Hybrid_Auth::setup( $providerId, $params );
+               // if user not connected to $providerId then try setup a new adapter and start the login 
process for this provider
+        Hybrid_Logger::info( "Hybrid_Auth::authenticate( $providerId ), User not connected to the provider. 
Try to authenticate.." );
 
-                       $provider_adapter->login();
-               }
+        $provider_adapter = Hybrid_Auth::setup( $providerId, $params );
 
-               // else, then return the adapter instance for the given provider
-               else{
-                       Hybrid_Logger::info( "Hybrid_Auth::authenticate( $providerId ), User is already 
connected to this provider. Return the adapter instance." );
-
-                       return Hybrid_Auth::getAdapter( $providerId );
-               }
-       }
+        $provider_adapter->login();
+    }
 
        // --------------------------------------------------------------------
 
diff --git a/auth/Hybrid/Provider_Adapter.php b/auth/Hybrid/Provider_Adapter.php
index 4333b93..0abc97c 100644
--- a/auth/Hybrid/Provider_Adapter.php
+++ b/auth/Hybrid/Provider_Adapter.php
@@ -165,6 +165,16 @@ class Hybrid_Provider_Adapter
 
        // --------------------------------------------------------------------
 
+    /**
+     * return true if we're connected but the access credentials are expired
+     */
+       public function isExpired()
+       {
+               return $this->adapter->isExpired();
+       }
+
+       // --------------------------------------------------------------------
+
        /**
        * handle :
        *   getUserProfile()
diff --git a/auth/Hybrid/Provider_Model.php b/auth/Hybrid/Provider_Model.php
index ef45dd4..15e77dd 100644
--- a/auth/Hybrid/Provider_Model.php
+++ b/auth/Hybrid/Provider_Model.php
@@ -172,6 +172,16 @@ abstract class Hybrid_Provider_Model
 
        // --------------------------------------------------------------------
 
+    /**
+     * return true if we're connected but the access credentials are expired
+     */
+       public function isExpired()
+    {
+        return false;
+       }
+
+       // --------------------------------------------------------------------
+
        /**
        * set user to connected 
        */ 
diff --git a/auth/Hybrid/Provider_Model_OAuth2.php b/auth/Hybrid/Provider_Model_OAuth2.php
index aaae805..7480e9d 100644
--- a/auth/Hybrid/Provider_Model_OAuth2.php
+++ b/auth/Hybrid/Provider_Model_OAuth2.php
@@ -131,7 +131,12 @@ class Hybrid_Provider_Model_OAuth2 extends Hybrid_Provider_Model
                // set user connected locally
                $this->setUserConnected();
        }
-       
+
+    function isExpired()
+    {
+        return $this->api->access_token_expires_at && ! $this->api->refresh_token && 
$this->api->access_token_expires_at <= time() ;
+    }
+
        function refreshToken()
        {
                // have an access token?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]