Change token auth provider usage of created to invaliated_tokens (#27614)

2025-04-23 01:13:23 -04:00 · 2019-01-10 10:23:59 -08:00 · 2019-01-10 10:23:59 -08:00 · ff5b0e8dfb
commit ff5b0e8dfb
parent 8361b82f4f
2 changed files with 17 additions and 9 deletions
--- a/x-pack/plugins/security/server/lib/authentication/providers/tests/token.js
+++ b/x-pack/plugins/security/server/lib/authentication/providers/tests/token.js
@ -424,7 +424,7 @@ describe('TokenAuthenticationProvider', () => {

        callWithInternalUser
          .withArgs('shield.deleteAccessToken', { body: { token: accessToken } })
-          .returns({ created: true });
+          .returns({ invalidated_tokens: 1 });

        const failureReason = new Error('failed to delete token');
        callWithInternalUser
@ -451,11 +451,11 @@ describe('TokenAuthenticationProvider', () => {

        callWithInternalUser
          .withArgs('shield.deleteAccessToken', { body: { token: accessToken } })
-          .returns({ created: true });
+          .returns({ invalidated_tokens: 1 });

        callWithInternalUser
          .withArgs('shield.deleteAccessToken', { body: { refresh_token: refreshToken } })
-          .returns({ created: true });
+          .returns({ invalidated_tokens: 1 });

        const authenticationResult = await provider.deauthenticate(request, { accessToken, refreshToken });

--- a/x-pack/plugins/security/server/lib/authentication/providers/token.js
+++ b/x-pack/plugins/security/server/lib/authentication/providers/token.js
@ -119,27 +119,35 @@ export class TokenAuthenticationProvider {

    try {
      // First invalidate the access token.
-      const { created: deletedAccessToken } = await this._options.client.callWithInternalUser(
+      const { invalidated_tokens: invalidatedAccessTokensCount } = await this._options.client.callWithInternalUser(
        'shield.deleteAccessToken',
        { body: { token: state.accessToken } }
      );

-      if (deletedAccessToken) {
+      if (invalidatedAccessTokensCount === 0) {
+        this._options.log(['debug', 'security', 'token'], 'User access token was already invalidated.');
+      } else if (invalidatedAccessTokensCount === 1) {
        this._options.log(['debug', 'security', 'token'], 'User access token has been successfully invalidated.');
      } else {
-        this._options.log(['debug', 'security', 'token'], 'User access token was already invalidated.');
+        this._options.log(['debug', 'security', 'token'],
+          `${invalidatedAccessTokensCount} user access tokens were invalidated, this is unexpected.`
+        );
      }

      // Then invalidate the refresh token.
-      const { created: deletedRefreshToken } = await this._options.client.callWithInternalUser(
+      const { invalidated_tokens: invalidatedRefreshTokensCount } = await this._options.client.callWithInternalUser(
        'shield.deleteAccessToken',
        { body: { refresh_token: state.refreshToken } }
      );

-      if (deletedRefreshToken) {
+      if (invalidatedRefreshTokensCount === 0) {
+        this._options.log(['debug', 'security', 'token'], 'User refresh token was already invalidated.');
+      } else if (invalidatedRefreshTokensCount === 1) {
        this._options.log(['debug', 'security', 'token'], 'User refresh token has been successfully invalidated.');
      } else {
-        this._options.log(['debug', 'security', 'token'], 'User refresh token was already invalidated.');
+        this._options.log(['debug', 'security', 'token'],
+          `${invalidatedRefreshTokensCount} user refresh tokens were invalidated, this is unexpected.`
+        );
      }

      return DeauthenticationResult.redirectTo(