Do not persist refreshed tokens if the original token was temporary

If the initial access token was acquired via an automatic login using a grant token provided by the publisher, neither the initial access token nor refreshed tokens should be persisted to local storage.
hypothesis · Nov 9, 2017 · 5781fe3 · 5781fe3
1 parent 6e973d1
commit 5781fe3
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 12 deletions.
diff --git a/src/sidebar/oauth-auth.js b/src/sidebar/oauth-auth.js
@@ -264,9 +264,18 @@ function auth($http, $rootScope, $window,
       }
 
       if (Date.now() > token.expiresAt) {
+        var shouldPersist = true;
+
+        // If we are using automatic login via a grant token, do not persist the
+        // initial access token or refreshed tokens.
+        var cfg = serviceConfig(settings);
+        if (typeof cfg.grantToken !== 'undefined') {
+          shouldPersist = false;
+        }
+
         // Token expired. Attempt to refresh.
         tokenInfoPromise = refreshAccessToken(token.refreshToken, {
-          persist: true,
+          persist: shouldPersist,
         }).catch(() => {
           // If refreshing the token fails, the user is simply logged out.
           return null;

diff --git a/src/sidebar/test/oauth-auth-test.js b/src/sidebar/test/oauth-auth-test.js
@@ -392,23 +392,27 @@ describe('sidebar.oauth-auth', function () {
       });
     });
 
+    function expireAndRefreshAccessToken() {
+      fakeLocalStorage.setObject.reset();
+      fakeHttp.post.returns(Promise.resolve({
+        status: 200,
+        data: {
+          access_token: 'secondToken',
+          expires_in: DEFAULT_TOKEN_EXPIRES_IN_SECS,
+          refresh_token: 'secondRefreshToken',
+        },
+      }));
+      expireAccessToken();
+      return auth.tokenGetter();
+    }
+
     it('persists refreshed tokens to storage', () => {
       // 1. Perform initial token exchange.
       return login().then(() => {
         return auth.tokenGetter();
       }).then(() => {
         // 2. Refresh access token.
-        fakeLocalStorage.setObject.reset();
-        fakeHttp.post.returns(Promise.resolve({
-          status: 200,
-          data: {
-            access_token: 'secondToken',
-            expires_in: DEFAULT_TOKEN_EXPIRES_IN_SECS,
-            refresh_token: 'secondRefreshToken',
-          },
-        }));
-        expireAccessToken();
-        return auth.tokenGetter();
+        return expireAndRefreshAccessToken();
       }).then(() => {
         // 3. Check that updated token was persisted to storage.
         assert.calledWith(fakeLocalStorage.setObject, TOKEN_KEY, {
@@ -419,6 +423,17 @@ describe('sidebar.oauth-auth', function () {
       });
     });
 
+    it('does not persist refreshed tokens if the original token was temporary', () => {
+      fakeSettings.services = [{ authority: 'publisher.org', grantToken: 'a.jwt.token' }];
+
+      return auth.tokenGetter().then(() => {
+        return expireAndRefreshAccessToken();
+      }).then(() => {
+        // Check that updated token was not persisted to storage.
+        assert.notCalled(fakeLocalStorage.setObject);
+      });
+    });
+
     it('loads and uses tokens from storage', () => {
       fakeLocalStorage.getObject.withArgs(TOKEN_KEY).returns({
         accessToken: 'foo',