bearer token file should not contain the refresh token also

[techcobweb]

Story

As a galasa user I don't want anyone to know my GALASA refresh token, so I do not want it stored with the JWT in the bearer-token.json file in my GALASA_HOME folder.

Background

The file currently contains

• The JWT (fair enough, as that is the bearer token).
• The refresh token (same as part of the GALASA_TOKEN). We shouldn't need this to be stored in the file also, as it is available from the environment.

If someone got hold of a bearer token using just this file, they would be able to refresh it when it expired ? I guess they don't have the client ID or secret, but it would help them hack it if they were so inclined, and offers another attack vector which is avoidable?

We also need to be able to cope with existing bearer token files which contain the refresh token.

There are no external docs impacts.

Tasks

• [x] Save bearer token code to not store the refresh token with it. (writes new style)
• [x] Plus unit tests to prove that only the jwt is stored.
• ~Load bearer token code to not mess up when the refresh token is present. (reads old style)~
• ~Load bearer token code to not mess up when the refresh token is missing. (reads new style)~

[techcobweb]

@eamansour Does the above make sense ?

[techcobweb]

Eamonn Mansour:

Hi, yep the above story makes sense, just had a quick look and the refresh token in the bearer token file isn’t actually being used so removing it from the file won’t affect anything

Michael Cobbett: OK thanks.