使用暂时失效的 accessToken 刷新得到的新 accessToken 仍然无效

相关 Issue：#17

运行环境

PHP 7.2.16

Blessing Skin Server 开发版 93183de

Yggdrasil API 插件 3.4.0

问题描述

当一个 accessToken 失效后，通过 POST /authserver/refresh 得到的新 accessToken 仍然是无效的。

先通过 POST /authserver/authenticate 请求验证后，得到一个有效的 accessToken 65fdbac29c5a44e49bb1c6224ea2af86。

请求体：
{
    "username":"littleqiu@littleservice.cn",
    "password":"here_is_my_password",
    "requestUser":true,
    "agent":{
        "name":"Minecraft",
        "version":1
    }
}

返回的内容：
{
    "accessToken": "65fdbac29c5a44e49bb1c6224ea2af86",
    "clientToken": "333f0496243e461d9010e2095e64bc9c",
    "availableProfiles": [
        {
            "id": "f702c5d39d5c457f80c691c664757092",
            "name": "Little_Qiu"
        }
    ],
    "user": {
        "id": "64f4796eeac0587f899dda4795600b3a",
        "properties": []
    },
    "selectedProfile": {
        "id": "f702c5d39d5c457f80c691c664757092",
        "name": "Little_Qiu"
    }
}

Yggdrasil API 插件的日志：
[2019-08-23 13:33:59] production.INFO: POST ["api/yggdrasil/authserver/authenticate"] 
[2019-08-23 13:33:59] production.INFO: User [littleqiu@littleservice.cn] is try to authenticate with [{"requestUser":true,"agent":{"name":"Minecraft","version":1}}] 
[2019-08-23 13:33:59] production.INFO: Serialized token stored to cache with expiry time 1296000 minutes {"keys":["TOKEN_65fdbac29c5a44e49bb1c6224ea2af86","ID_littleqiu@littleservice.cn"],"token":"[object] (Yggdrasil\\Models\\Token: {\"owner\":\"littleqiu@littleservice.cn\",\"profileId\":\"f702c5d39d5c457f80c691c664757092\",\"createdAt\":1566538439,\"clientToken\":\"333f0496243e461d9010e2095e64bc9c\",\"accessToken\":\"65fdbac29c5a44e49bb1c6224ea2af86\"})"} 
[2019-08-23 13:33:59] production.INFO: New access token [65fdbac29c5a44e49bb1c6224ea2af86] generated for user [littleqiu@littleservice.cn]  
[2019-08-23 13:33:59] production.INFO: User [littleqiu@littleservice.cn] authenticated successfully [{"availableProfiles":[{"id":"f702c5d39d5c457f80c691c664757092","name":"Little_Qiu"}]}]

这时使用 POST /authserver/validate 查询 65fdbac29c5a44e49bb1c6224ea2af86 是否有效，返回 204 No Content（accessToken 有效）。

请求体：
{
    "accessToken": "65fdbac29c5a44e49bb1c6224ea2af86"
}

Yggdrasil API 插件的日志：
[2019-08-23 13:34:11] production.INFO: POST ["api/yggdrasil/authserver/validate"] 
[2019-08-23 13:34:11] production.INFO: Check if an access token is valid {"clientToken":null,"accessToken":"65fdbac29c5a44e49bb1c6224ea2af86"}

当 65fdbac29c5a44e49bb1c6224ea2af86 暂时失效后，再次 POST /authserver/validate 查询，服务端返回 403 Forbidden，错误 ForbiddenOperationException

请求体：
{
    "accessToken": "65fdbac29c5a44e49bb1c6224ea2af86"
}

返回的内容：
{
    "error": "ForbiddenOperationException",
    "errorMessage": "提供的 AccessToken 无效"
}

Yggdrasil API 插件的日志：
[2019-08-23 13:35:00] production.INFO: POST ["api/yggdrasil/authserver/validate"] 
[2019-08-23 13:35:00] production.INFO: Check if an access token is valid {"clientToken":null,"accessToken":"65fdbac29c5a44e49bb1c6224ea2af86"} 
[2019-08-23 13:35:00] production.INFO: HTTP/1.1 403 ForbiddenOperationException {"message":"提供的 AccessToken 无效","cause":""}

此时使用 65fdbac29c5a44e49bb1c6224ea2af86 来 POST /authserver/refresh 请求刷新 accessToken，得到一个新 accessToken c7bdbc17f7464bbe85ff3da722f4e650

请求体：
{
    "accessToken": "65fdbac29c5a44e49bb1c6224ea2af86"
}

返回的内容：
{
    "accessToken": "c7bdbc17f7464bbe85ff3da722f4e650",
    "clientToken": "333f0496243e461d9010e2095e64bc9c",
    "availableProfiles": [
        {
            "id": "f702c5d39d5c457f80c691c664757092",
            "name": "Little_Qiu"
        }
    ],
    "selectedProfile": {
        "id": "f702c5d39d5c457f80c691c664757092",
        "name": "Little_Qiu"
    }
}

Yggdrasil API 插件的日志：
[2019-08-23 13:35:19] production.INFO: POST ["api/yggdrasil/authserver/refresh"] 
[2019-08-23 13:35:19] production.INFO: Try to refresh access token [65fdbac29c5a44e49bb1c6224ea2af86] with client token []  
[2019-08-23 13:35:19] production.INFO: The given access token is owned by user [littleqiu@littleservice.cn]  
[2019-08-23 13:35:19] production.INFO: The old access token [65fdbac29c5a44e49bb1c6224ea2af86] is now revoked  
[2019-08-23 13:35:19] production.INFO: New token [c7bdbc17f7464bbe85ff3da722f4e650] generated for user [littleqiu@littleservice.cn]  
[2019-08-23 13:35:19] production.INFO: Serialized token stored to cache with expiry time 1296000 minutes {"keys":["TOKEN_c7bdbc17f7464bbe85ff3da722f4e650","ID_littleqiu@littleservice.cn"],"token":"[object] (Yggdrasil\\Models\\Token: {\"owner\":\"littleqiu@littleservice.cn\",\"profileId\":\"f702c5d39d5c457f80c691c664757092\",\"createdAt\":1566538439,\"clientToken\":\"333f0496243e461d9010e2095e64bc9c\",\"accessToken\":\"c7bdbc17f7464bbe85ff3da722f4e650\"})"} 
[2019-08-23 13:35:19] production.INFO: Access token refreshed [65fdbac29c5a44e49bb1c6224ea2af86] => [c7bdbc17f7464bbe85ff3da722f4e650]

此时 POST /authserver/validate 查询 c7bdbc17f7464bbe85ff3da722f4e650 是否有效，仍然返回 403 Forbidden，错误 ForbiddenOperationExpection

请求体：
{
    "accessToken": "c7bdbc17f7464bbe85ff3da722f4e650"
}

返回的内容：
{
    "error": "ForbiddenOperationException",
    "errorMessage": "提供的 AccessToken 无效"
}

Yggdrasil API 插件的日志：
[2019-08-23 13:35:34] production.INFO: POST ["api/yggdrasil/authserver/validate"] 
[2019-08-23 13:35:34] production.INFO: Check if an access token is valid {"clientToken":null,"accessToken":"c7bdbc17f7464bbe85ff3da722f4e650"} 
[2019-08-23 13:35:34] production.INFO: HTTP/1.1 403 ForbiddenOperationException {"message":"提供的 AccessToken 无效","cause":""}

bs-community / yggdrasil-api

使用暂时失效的 accessToken 刷新得到的新 accessToken 仍然无效 #18

运行环境

问题描述