Closed levlukacs closed 2 years ago
Never mind, I understand now. But the documentation does not really explain it well enough that the token is valid for 5 seconds for concurrent requests only, though.
@lukelukes It'd be awesome if you could create a PR for the jhipster.github.io project to improve the documentation.
@mraible Not sure if this fits there, but I'd update the JavaDoc on the class instead.
Also, wouldn't there be a CookieTheftException thrown in the following case: Fire off 2 async requests -> first lasts 1 sec (token1), second lasts 500 ms (token2) -> client sets token2 cookie (the valid one), first request returns with token1 cookie (now invalid) -> make another request, this would send token1, which is now invalidated
Maybe I misunderstood the workings of this class, but here we go:
Overview of the issue
The persistent token gets refreshed but the old value gets set again in the cache. https://github.com/jhipster/generator-jhipster/blob/main/generators/server/templates/src/main/java/package/security/PersistentTokenRememberMeServices.java.ejs#L150 After refresh, the old cookieToken values (method parameter) get set, and the 5 second validity window ceases to function, since the token values will never match again.
Also, shouldn't the token received after login be an UpgradedRememberMeToken?
Motivation for or Use Case
It states in the documentation that a token series/value pair should be valid for 5 seconds
Reproduce the error
Log in -> Wait 5 seconds -> Make a request (cookie gets refreshed) -> Make another request in 5 second window (cookie gets refreshed, it shouldn't)
Related issues
Suggest a Fix
JHipster Version(s)
JHipster configuration
Entity configuration(s)
entityName.json
files generated in the.jhipster
directoryBrowsers and Operating System