Keep refresh expiration

scm-webapp/src/main/java/sonia/scm/security/JwtAccessToken.java

@@ -47,7 +47,7 @@ import static java.util.Optional.ofNullable;
  */
 public final class JwtAccessToken implements AccessToken {
 
-  public static final String REFRESHABLE_UNTIL_CLAIM_KEY = "scm-manager.refreshableUntil";
+  public static final String REFRESHABLE_UNTIL_CLAIM_KEY = "scm-manager.refreshExpiration";
   public static final String PARENT_TOKEN_ID_CLAIM_KEY = "scm-manager.parentTokenId";
   private final Claims claims;
   private final String compact;

scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenBuilder.java

@@ -71,6 +71,7 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
   private TimeUnit expiresInUnit = TimeUnit.HOURS;
   private long refreshableFor = 12;
   private TimeUnit refreshableForUnit = TimeUnit.HOURS;
+  private Instant refreshExpiration;
   private String parentKeyId;
   private Scope scope = Scope.empty();
 
@@ -133,6 +134,12 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
     return this;
   }
 
+  JwtAccessTokenBuilder refreshExpiration(Instant refreshExpiration) {
+    this.refreshExpiration = refreshExpiration;
+    this.refreshableFor = 0;
+    return this;
+  }
+
   public JwtAccessTokenBuilder parentKey(String parentKeyId) {
     this.parentKeyId = parentKeyId;
     return this;
@@ -175,6 +182,8 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
     if (refreshableFor > 0) {
       long refreshExpiration = refreshableForUnit.toMillis(refreshableFor);
       claims.put(JwtAccessToken.REFRESHABLE_UNTIL_CLAIM_KEY, new Date(now.toEpochMilli() + refreshExpiration).getTime());
+    } else if (refreshExpiration != null) {
+      claims.put(JwtAccessToken.REFRESHABLE_UNTIL_CLAIM_KEY, Date.from(refreshExpiration));
     }
     if (parentKeyId == null) {
       claims.put(JwtAccessToken.PARENT_TOKEN_ID_CLAIM_KEY, id);

scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenRefresher.java

@@ -29,7 +29,7 @@ public class JwtAccessTokenRefresher {
     this.clock = clock;
   }
 
-  public Optional<JwtAccessToken> refresh(JwtAccessToken oldToken) {
+  Optional<JwtAccessToken> refresh(JwtAccessToken oldToken) {
     JwtAccessTokenBuilder builder = builderFactory.create();
     Map<String, Object> claims = oldToken.getClaims();
     claims.forEach(builder::custom);
@@ -42,6 +42,7 @@ public class JwtAccessTokenRefresher {
       }
       builder.expiresIn(computeOldExpirationInMillis(oldToken), TimeUnit.MILLISECONDS);
       builder.parentKey(parentTokenId.get().toString());
+      builder.refreshExpiration(oldToken.getRefreshExpiration().get().toInstant());
       return Optional.of(builder.build());
     } else {
       return Optional.empty();

scm-webapp/src/test/java/sonia/scm/security/JwtAccessTokenRefresherTest.java

@@ -142,4 +142,16 @@ public class JwtAccessTokenRefresherTest {
     JwtAccessToken refreshedToken = refreshedTokenResult.get();
     assertThat(refreshedToken.getExpiration()).isEqualTo(Date.from(NOW.plus(ofMinutes(5))));
   }
+
+  @Test
+  public void shouldRefreshTokenWithSameRefreshExpiration() {
+    JwtAccessToken oldToken = tokenBuilder.build();
+    when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);
+
+    Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);
+
+    assertThat(refreshedTokenResult).isNotEmpty();
+    JwtAccessToken refreshedToken = refreshedTokenResult.get();
+    assertThat(refreshedToken.getRefreshExpiration()).get().isEqualTo(Date.from(TOKEN_CREATION.plus(ofMinutes(10))));
+  }
 }