Please bear in mind that I'll eventually move the blacklist to a cache DB, it's not going to be an attribute in the class, this is just temporary.
This is my full component for the PreProcessorFilter
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class RefreshTokenCookiePreProcessorFilter implements Filter {
private static List<String> blackList = new ArrayList<>();
@Autowired
private JwtTokenStore tokenStore;
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
String authorization = req.getHeader("Authorization");
if ("/tokens/revoke".equalsIgnoreCase(req.getRequestURI()) && nonNull(authorization)) {
req.getCookies();
String eliminatedToken = authorization.substring(7);
blackList.add(eliminatedToken);
}
for (Cookie cookie : req.getCookies()) {
boolean containsTokenEliminado = getBlackList().contains(cookie.getValue());
if (containsTokenEliminado) {
throw new IllegalStateException("INVALID TOKEN.");
}
}
if ("/oauth/token".equalsIgnoreCase(req.getRequestURI())
&& "refresh_token".equals(req.getParameter("grant_type"))
&& nonNull(req.getCookies())) {
for (Cookie cookie : req.getCookies()) {
if (cookie.getName().equals("refreshToken")) {
String refreshToken = cookie.getValue();
req = new MyServletRequestWrapper(req, refreshToken);
}
}
}
filterChain.doFilter(req, servletResponse);
}
static class MyServletRequestWrapper extends HttpServletRequestWrapper {
private String refreshToken;
MyServletRequestWrapper(HttpServletRequest request, String refreshToken) {
super(request);
this.refreshToken = refreshToken;
}
@Override
public Map<String, String[]> getParameterMap() {
ParameterMap<String, String[]> map = new ParameterMap<>(getRequest().getParameterMap());
map.put("refresh_token", new String[]{refreshToken});
map.setLocked(true);
return map;
}
}
public static List<String> getBlackList() {
return blackList;
}
}
It correctly adds the Authorization token to the blacklist, but then I face two problems:
The logout doesn't send the refreshToken, and for some reason the refreshToken is different from the Authorization token (Or maybe it's changing AFTER I put it in blacklist? Not sure but I don't think that's the case, but I could be wrong), and obviously after I log out if I try to go in using the same tokens from client side, it'll only send the refresh token (since the Authorization one was killed properly).
To sum it up:
- When logout, I don't have the refreshToken
- When trying to login with old token, I don't have the Authorization one.
Because of that, Blacklist isn't doing it's proper job, since the 2 tokens are different when it tries to login again...
Any help is appreciated, much thanks.
