smolnar82 commented on code in PR #839: URL: https://github.com/apache/knox/pull/839#discussion_r1475663053
########## gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java: ########## @@ -381,11 +390,29 @@ protected boolean validateToken(final HttpServletRequest request, final HttpServ return false; } - private boolean isTokenEnabled(String tokenId) throws UnknownTokenException { - final TokenMetadata tokenMetadata = tokenStateService == null ? null : tokenStateService.getTokenMetadata(tokenId); + private boolean isTokenEnabled(TokenMetadata tokenMetadata) throws UnknownTokenException { return tokenMetadata == null ? true : tokenMetadata.isEnabled(); } + private boolean isNotIdle(TokenMetadata tokenMetadata) throws UnknownTokenException { + if (idleTimeoutSeconds > 0) { + final Instant lastUsedAt = tokenMetadata == null ? null : tokenMetadata.getLastUsedAt(); + final Instant idleTimeoutLimit = lastUsedAt == null ? null : lastUsedAt.plusSeconds(idleTimeoutSeconds); + return idleTimeoutLimit == null ? true : (tokenMetadata.isKnoxSsoCookie() && idleTimeoutLimit.isAfter(Instant.now())); + } + return true; // no idle timeout is configured -> ignore idleness check + } + + private void markLastUsedAt(String tokenId, TokenMetadata tokenMetadata) throws UnknownTokenException { + if (tokenMetadata != null && tokenMetadata.isKnoxSsoCookie()) { + // to avoid updating every single metadata value, we create a new token metadata + // instance only with the updated "LAST_USED_AT" information + final TokenMetadata updatedTokenMetadata = new TokenMetadata(); + updatedTokenMetadata.useTokenNow(); + tokenStateService.addMetadata(tokenId, updatedTokenMetadata); Review Comment: Yes, that was the design decision back in time when I added the `knox_token_metadata` table (see #447 ): ``` CREATE TABLE IF NOT EXISTS KNOX_TOKEN_METADATA ( -- IF NOT EXISTS syntax is not supported by Derby token_id varchar(128) NOT NULL, md_name varchar(32) NOT NULL, md_value varchar(256) NOT NULL, PRIMARY KEY (token_id, md_name), CONSTRAINT fk_token_id FOREIGN KEY(token_id) REFERENCES KNOX_TOKENS(token_id) ON DELETE CASCADE ) ``` This is why we do not need to worry about schema changes between versions. Currently, the following metadata is known: `userName`, `comment`, `enabled`, `passcode`, `createdBy`, `knoxSSOCookie`, and now `lastUsedAt`. But these are only what is known to Knox. Please note that end-users [may add arbitrary metadata](https://issues.apache.org/jira/browse/KNOX-2712) using the KNOXTOKEN API. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org