Use expires_in for access_token validation

2cb1d617 · Shinya Maeda · 5663b480 · 2cb1d617 · 2cb1d617 · 2cb1d617
4 changed file
--- a/app/controllers/google_api/authorizations_controller.rb
+++ b/app/controllers/google_api/authorizations_controller.rb
 module GoogleApi
  class AuthorizationsController < ApplicationController
    def callback
-      session[GoogleApi::CloudPlatform::Client.session_key_for_token] =
-        GoogleApi::CloudPlatform::Client.new(nil, callback_google_api_authorizations_url)
-                                        .get_token(params[:code])
+      token, expires_at = GoogleApi::CloudPlatform::Client
+        .new(nil, callback_google_api_authorizations_url)
+        .get_token(params[:code])
+
+      session[GoogleApi::CloudPlatform::Client.session_key_for_token] = token
+      session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at] =
+        expires_at.to_s

      if params[:state]
        redirect_to params[:state]

--- a/app/controllers/projects/clusters_controller.rb
+++ b/app/controllers/projects/clusters_controller.rb
@@ -6,12 +6,11 @@ class Projects::ClustersController < Projects::ApplicationController
  def login
    begin
      @authorize_url = GoogleApi::CloudPlatform::Client.new(
-          nil,
-          callback_google_api_authorizations_url,
+          nil, callback_google_api_authorizations_url,
          state: namespace_project_clusters_url.to_s
        ).authorize_url
    rescue GoogleApi::Auth::ConfigMissingError
-      # Show an alert message that gitlab.yml is not configured properly
+      # no-op
    end
  end

@@ -83,12 +82,19 @@ class Projects::ClustersController < Projects::ApplicationController
  end

  def authorize_google_api
-    unless token_in_session
+    unless GoogleApi::CloudPlatform::Client.new(token_in_session, nil)
+                                           .validate_token(expires_at_in_session)
      redirect_to action: 'login'
    end
  end

  def token_in_session
-    @token_in_session ||= session[GoogleApi::CloudPlatform::Client.session_key_for_token]
+    @token_in_session ||=
+      session[GoogleApi::CloudPlatform::Client.session_key_for_token]
+  end
+
+  def expires_at_in_session
+    @expires_at_in_session ||=
+      session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at]
  end
 end
--- a/lib/google_api/auth.rb
+++ b/lib/google_api/auth.rb
@@ -19,7 +19,8 @@ module GoogleApi
    end

    def get_token(code)
-      client.auth_code.get_token(code, redirect_uri: redirect_uri).token
+      ret = client.auth_code.get_token(code, redirect_uri: redirect_uri)
+      return ret.token, ret.expires_at
    end

    protected

--- a/lib/google_api/cloud_platform/client.rb
+++ b/lib/google_api/cloud_platform/client.rb
@@ -9,12 +9,28 @@ module GoogleApi
        def session_key_for_token
          :cloud_platform_access_token
        end
+
+        def session_key_for_expires_at
+          :cloud_platform_expires_at
+        end
      end

      def scope
        'https://www.googleapis.com/auth/cloud-platform'
      end

+      def validate_token(expires_at)
+        return false unless access_token
+        return false unless expires_at
+
+        # Making sure that the token will have been still alive during the cluster creation.
+        unless DateTime.strptime(expires_at, '%s').to_time > Time.now + 10.minutes
+          return false
+        end
+
+        true
+      end
+
      def projects_zones_clusters_get(project_id, zone, cluster_id)
        service = Google::Apis::ContainerV1::ContainerService.new
        service.authorization = access_token