diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java index 8f40e24..6638e7d 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/EsiaAuthInfoStore.java @@ -12,6 +12,7 @@ import org.springframework.context.support.MessageSourceAccessor; import ru.micord.ervu.security.esia.exception.EsiaException; import ru.micord.ervu.security.esia.model.ExpiringState; import ru.micord.ervu.security.esia.model.ExpiringToken; +import ru.micord.ervu.security.exception.UnauthorizedException; import ru.cg.webbpm.modules.core.runtime.api.LocalizedException; import ru.cg.webbpm.modules.core.runtime.api.MessageBundleUtils; @@ -35,7 +36,14 @@ public class EsiaAuthInfoStore { } public static String getAccessToken(String prnOid) { - return ACCESS_TOKENS_MAP.get(prnOid).getAccessToken(); + ExpiringToken token = ACCESS_TOKENS_MAP.get(prnOid); + if (token == null || token.getAccessToken() == null) { + throw new UnauthorizedException("Failed to get access token. No access token found for prnOid: " + prnOid); + } + else if (token.isExpired()) { + throw new UnauthorizedException("Failed to get access token. Access token is expired for prnOid: " + prnOid); + } + return token.getAccessToken(); } public static boolean validateAccessToken(String prnOid) { diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index fd45a01..65fc895 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -52,6 +52,7 @@ import org.springframework.http.HttpHeaders; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Service; +import ru.micord.ervu.security.exception.UnauthorizedException; import ru.micord.ervu.security.webbpm.jwt.JwtAuthentication; import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper; import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService; @@ -398,12 +399,20 @@ public class EsiaAuthService { PersonModel personModel = null; String status = null; try { - String userId = jwtTokenService.getUserAccountId(request); - String accessToken = EsiaAuthInfoStore.getAccessToken(userId); - personModel = personalDataService.getPersonModel(accessToken); + try { + String userId = jwtTokenService.getUserAccountId(request); + String accessToken = jwtTokenService.getAccessTokenByUserId(userId); + personModel = personalDataService.getPersonModel(accessToken); + EsiaAuthInfoStore.removeAccessToken(userId); + EsiaAuthInfoStore.removeRefreshToken(userId); + } + catch (UnauthorizedException e) { + //logout should always happen + } + catch (Exception e) { + LOGGER.error(e.getMessage()); + } securityHelper.clearAccessCookies(response); - EsiaAuthInfoStore.removeAccessToken(userId); - EsiaAuthInfoStore.removeRefreshToken(userId); String logoutUrl = esiaConfig.getEsiaBaseUri() + esiaConfig.getEsiaLogoutUrl(); String redirectUrl = esiaConfig.getLogoutRedirectUrl(); URL url = new URL(logoutUrl); diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java index f748ac9..1945c34 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java @@ -88,6 +88,10 @@ public class JwtTokenService { return EsiaAuthInfoStore.getRefreshToken(getUserAccountId(request)); } + public String getAccessTokenByUserId(String userId) { + return EsiaAuthInfoStore.getAccessToken(userId); + } + public String getUserAccountId(HttpServletRequest request) { String authToken = extractAuthToken(request);