PersistentTokenRememberMeServices ignores 5 second validity window

[levlukacs]

Maybe I misunderstood the workings of this class, but here we go:

Overview of the issue

The persistent token gets refreshed but the old value gets set again in the cache. https://github.com/jhipster/generator-jhipster/blob/main/generators/server/templates/src/main/java/package/security/PersistentTokenRememberMeServices.java.ejs#L150 After refresh, the old cookieToken values (method parameter) get set, and the 5 second validity window ceases to function, since the token values will never match again.

Also, shouldn't the token received after login be an UpgradedRememberMeToken?

Motivation for or Use Case

It states in the documentation that a token series/value pair should be valid for 5 seconds

Reproduce the error

Log in -> Wait 5 seconds -> Make a request (cookie gets refreshed) -> Make another request in 5 second window (cookie gets refreshed, it shouldn't)

Related issues

Suggest a Fix

JHipster Version(s)

JHipster configuration

Entity configuration(s) entityName.json files generated in the .jhipster directory

Browsers and Operating System

• [x] Checking this box is mandatory (this is just to show you read everything)

[levlukacs]

Never mind, I understand now. But the documentation does not really explain it well enough that the token is valid for 5 seconds for concurrent requests only, though.

[mraible]

@lukelukes It'd be awesome if you could create a PR for the jhipster.github.io project to improve the documentation.

[levlukacs]

@mraible Not sure if this fits there, but I'd update the JavaDoc on the class instead.

Also, wouldn't there be a CookieTheftException thrown in the following case: Fire off 2 async requests -> first lasts 1 sec (token1), second lasts 500 ms (token2) -> client sets token2 cookie (the valid one), first request returns with token1 cookie (now invalid) -> make another request, this would send token1, which is now invalidated