bump up coverage, change slightly always allow implementation

Author: hf

internal/api/token_test.go

@@ -19,6 +19,7 @@ import (
 	"github.com/stretchr/testify/suite"
 	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/conf"
+	"github.com/supabase/auth/internal/crypto"
 	"github.com/supabase/auth/internal/models"
 )
 
@@ -890,3 +891,26 @@ $$;`
 		})
 	}
 }
+
+func TestRefreshTokenGrantParamsValidate(t *testing.T) {
+	examples := []string{
+		"",
+		"01234567890",
+		"AAAAAAAAAAAA",
+		"------------",
+		"0000000000000",
+	}
+
+	p := &RefreshTokenGrantParams{}
+
+	for _, example := range examples {
+		p.RefreshToken = example
+		require.Error(t, p.Validate())
+	}
+
+	p.RefreshToken = "0123456abcde"
+	require.NoError(t, p.Validate())
+
+	p.RefreshToken = (&crypto.RefreshToken{}).Encode(make([]byte, 32))
+	require.NoError(t, p.Validate())
+}

internal/models/sessions.go

@@ -123,10 +123,6 @@ func (s *Session) GetRefreshTokenHmacKey(dbEncryption conf.DatabaseEncryptionCon
 		return hmacKey, dbEncryption.Encrypt && es.ShouldReEncrypt(dbEncryption.EncryptionKeyID), nil
 	}
 
-	if s.RefreshTokenHmacKey == nil {
-		return nil, false, nil
-	}
-
 	hmacKey, err := base64.RawURLEncoding.DecodeString(*s.RefreshTokenHmacKey)
 	if err != nil {
 		return nil, false, err

internal/models/sessions_test.go

@@ -1,10 +1,12 @@
 package models
 
 import (
+	"encoding/base64"
 	"strings"
 	"testing"
 	"time"
 
+	"github.com/gofrs/uuid"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 	"github.com/supabase/auth/internal/conf"
@@ -160,3 +162,21 @@ func TestCheckValidity(t *testing.T) {
 		})
 	}
 }
+
+func TestSessionGetRefreshTokenHmacKey(t *testing.T) {
+	s, err := NewSession(uuid.Must(uuid.NewV4()), nil)
+	require.NoError(t, err)
+
+	hmacKey, shouldReEncrypt, err := s.GetRefreshTokenHmacKey(conf.DatabaseEncryptionConfiguration{})
+	require.NoError(t, err)
+	require.Nil(t, hmacKey)
+	require.False(t, shouldReEncrypt)
+
+	key := base64.RawURLEncoding.EncodeToString(make([]byte, 32))
+	s.RefreshTokenHmacKey = &key
+
+	hmacKey, shouldReEncrypt, err = s.GetRefreshTokenHmacKey(conf.DatabaseEncryptionConfiguration{})
+	require.NoError(t, err)
+	require.Equal(t, make([]byte, 32), hmacKey)
+	require.False(t, shouldReEncrypt)
+}

internal/tokens/service.go

@@ -356,7 +356,7 @@ func (s *Service) RefreshTokenGrant(ctx context.Context, db *storage.Connection,
 				if counterDifference < 0 {
 					// refresh token was not issued by this server
 					return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Invalid Refresh Token: Not Issued By This Server").WithInternalMessage("Refresh token for session %s has a counter that's ahead %d of the database state", session.ID.String(), -counterDifference)
-				} else if counterDifference == 0 || config.Security.RefreshTokenAllowReuse {
+				} else if counterDifference == 0 {
 					// normal refresh token use
 					counter := *session.RefreshTokenCounter + 1
 					session.RefreshTokenCounter = &counter