prefer code exchange credentials over the one received in the redirec…

…tUri
auth0 · Nov 23, 2016 · cef8bfd · cef8bfd
1 parent 9cf7e80
commit cef8bfd
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 16 deletions.
diff --git a/auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.java b/auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.java
@@ -394,7 +394,6 @@ private boolean authorize(@NonNull AuthorizeResult data) {
         } else {
             Log.d(TAG, "Authenticated using web flow");
             final Credentials urlCredentials = new Credentials(values.get(KEY_ID_TOKEN), values.get(KEY_ACCESS_TOKEN), values.get(KEY_TOKEN_TYPE), values.get(KEY_REFRESH_TOKEN));
-            Log.d(TAG, String.format("URL Credentials > Id=%s, Acc=%s, Typ=%s, Ref=%s", urlCredentials.getIdToken(), urlCredentials.getAccessToken(), urlCredentials.getType(), urlCredentials.getRefreshToken()));
             if (shouldUsePKCE()) {
                 pkce.getToken(values.get(KEY_CODE), new AuthCallback() {
                     @Override
@@ -409,7 +408,6 @@ public void onFailure(AuthenticationException exception) {
 
                     @Override
                     public void onSuccess(@NonNull Credentials codeCredentials) {
-                        Log.d(TAG, String.format("CODE Credentials > Id=%s, Acc=%s, Typ=%s, Ref=%s", codeCredentials.getIdToken(), codeCredentials.getAccessToken(), codeCredentials.getType(), codeCredentials.getRefreshToken()));
                         callback.onSuccess(mergeCredentials(urlCredentials, codeCredentials));
                     }
                 });
@@ -456,10 +454,10 @@ private void startAuthorization(Activity activity, Uri authorizeUri, int request
 
     @VisibleForTesting
     static Credentials mergeCredentials(Credentials urlCredentials, Credentials codeCredentials) {
-        final String idToken = urlCredentials.getIdToken() != null ? urlCredentials.getIdToken() : codeCredentials.getIdToken();
-        final String accessToken = codeCredentials.getAccessToken();
-        final String type = urlCredentials.getType() != null ? urlCredentials.getType() : codeCredentials.getType();
-        final String refreshToken = urlCredentials.getRefreshToken() != null ? urlCredentials.getRefreshToken() : codeCredentials.getRefreshToken();
+        final String idToken = codeCredentials.getIdToken() != null ? codeCredentials.getIdToken() : urlCredentials.getIdToken();
+        final String accessToken = codeCredentials.getAccessToken() != null ? codeCredentials.getAccessToken() : urlCredentials.getAccessToken();
+        final String type = codeCredentials.getType() != null ? codeCredentials.getType() : urlCredentials.getType();
+        final String refreshToken = codeCredentials.getRefreshToken() != null ? codeCredentials.getRefreshToken() : urlCredentials.getRefreshToken();
 
         return new Credentials(idToken, accessToken, type, refreshToken);
     }

diff --git a/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.java b/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.java
@@ -1211,23 +1211,22 @@ public void shouldMergeCredentials() throws Exception {
         Credentials codeCredentials = new Credentials("codeId", "codeAccess", "codeType", "codeRefresh");
         Credentials merged = WebAuthProvider.mergeCredentials(urlCredentials, codeCredentials);
 
-        assertThat(merged.getIdToken(), is(urlCredentials.getIdToken()));
+        assertThat(merged.getIdToken(), is(codeCredentials.getIdToken()));
         assertThat(merged.getAccessToken(), is(codeCredentials.getAccessToken()));
-        assertThat(merged.getType(), is(urlCredentials.getType()));
-        assertThat(merged.getRefreshToken(), is(urlCredentials.getRefreshToken()));
+        assertThat(merged.getType(), is(codeCredentials.getType()));
+        assertThat(merged.getRefreshToken(), is(codeCredentials.getRefreshToken()));
     }
 
     @Test
     public void shouldPreferNonNullValuesWhenMergingCredentials() throws Exception {
-        Credentials urlCredentials = new Credentials(null, "urlAccess", null, null);
-        Credentials codeCredentials = new Credentials("codeId", null, "codeType", "codeRefresh");
+        Credentials urlCredentials = new Credentials("urlId", "urlAccess", "urlType", "urlRefresh");
+        Credentials codeCredentials = new Credentials(null, null, null, null);
         Credentials merged = WebAuthProvider.mergeCredentials(urlCredentials, codeCredentials);
 
-        assertThat(merged.getIdToken(), is(codeCredentials.getIdToken()));
-        //Except URL AccessToken as it's short-lived
-        assertThat(merged.getAccessToken(), is(codeCredentials.getAccessToken()));
-        assertThat(merged.getType(), is(codeCredentials.getType()));
-        assertThat(merged.getRefreshToken(), is(codeCredentials.getRefreshToken()));
+        assertThat(merged.getIdToken(), is(urlCredentials.getIdToken()));
+        assertThat(merged.getAccessToken(), is(urlCredentials.getAccessToken()));
+        assertThat(merged.getType(), is(urlCredentials.getType()));
+        assertThat(merged.getRefreshToken(), is(urlCredentials.getRefreshToken()));
     }
 
     @Test