diff --git a/tests/rest/client/test_auth.py b/tests/rest/client/test_auth.py
index d8a94f4c12..72bbc87b4a 100644
--- a/tests/rest/client/test_auth.py
+++ b/tests/rest/client/test_auth.py
@@ -520,10 +520,23 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
"""
return self.make_request(
"POST",
- "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
+ "/_matrix/client/v1/refresh",
{"refresh_token": refresh_token},
)
+ def is_access_token_valid(self, access_token) -> bool:
+ """
+ Checks whether an access token is valid, returning whether it is or not.
+ """
+ code = self.make_request(
+ "GET", "/_matrix/client/v3/account/whoami", access_token=access_token
+ ).code
+
+ # Either 200 or 401 is what we get back; anything else is a bug.
+ assert code in {HTTPStatus.OK, HTTPStatus.UNAUTHORIZED}
+
+ return code == HTTPStatus.OK
+
def test_login_issue_refresh_token(self):
"""
A login response should include a refresh_token only if asked.
@@ -544,7 +557,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
login_with_refresh = self.make_request(
"POST",
"/_matrix/client/r0/login",
- {"org.matrix.msc2918.refresh_token": True, **body},
+ {"refresh_token": True, **body},
)
self.assertEqual(login_with_refresh.code, 200, login_with_refresh.result)
self.assertIn("refresh_token", login_with_refresh.json_body)
@@ -575,7 +588,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
"username": "test3",
"password": self.user_pass,
"auth": {"type": LoginType.DUMMY},
- "org.matrix.msc2918.refresh_token": True,
+ "refresh_token": True,
},
)
self.assertEqual(register_with_refresh.code, 200, register_with_refresh.result)
@@ -590,7 +603,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
"type": "m.login.password",
"user": "test",
"password": self.user_pass,
- "org.matrix.msc2918.refresh_token": True,
+ "refresh_token": True,
}
login_response = self.make_request(
"POST",
@@ -601,7 +614,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
refresh_response = self.make_request(
"POST",
- "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
+ "/_matrix/client/v1/refresh",
{"refresh_token": login_response.json_body["refresh_token"]},
)
self.assertEqual(refresh_response.code, 200, refresh_response.result)
@@ -628,7 +641,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
"type": "m.login.password",
"user": "test",
"password": self.user_pass,
- "org.matrix.msc2918.refresh_token": True,
+ "refresh_token": True,
}
login_response = self.make_request(
"POST",
@@ -642,7 +655,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
refresh_response = self.make_request(
"POST",
- "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
+ "/_matrix/client/v1/refresh",
{"refresh_token": login_response.json_body["refresh_token"]},
)
self.assertEqual(refresh_response.code, 200, refresh_response.result)
@@ -672,6 +685,69 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
)
@override_config(
+ {
+ "refreshable_access_token_lifetime": "1m",
+ "nonrefreshable_access_token_lifetime": "10m",
+ }
+ )
+ def test_different_expiry_for_refreshable_and_nonrefreshable_access_tokens(self):
+ """
+ Tests that the expiry times for refreshable and non-refreshable access
+ tokens can be different.
+ """
+ body = {
+ "type": "m.login.password",
+ "user": "test",
+ "password": self.user_pass,
+ }
+ login_response1 = self.make_request(
+ "POST",
+ "/_matrix/client/r0/login",
+ {"refresh_token": True, **body},
+ )
+ self.assertEqual(login_response1.code, 200, login_response1.result)
+ self.assertApproximates(
+ login_response1.json_body["expires_in_ms"], 60 * 1000, 100
+ )
+ refreshable_access_token = login_response1.json_body["access_token"]
+
+ login_response2 = self.make_request(
+ "POST",
+ "/_matrix/client/r0/login",
+ body,
+ )
+ self.assertEqual(login_response2.code, 200, login_response2.result)
+ nonrefreshable_access_token = login_response2.json_body["access_token"]
+
+ # Advance 59 seconds in the future (just shy of 1 minute, the time of expiry)
+ self.reactor.advance(59.0)
+
+ # Both tokens should still be valid.
+ self.assertTrue(self.is_access_token_valid(refreshable_access_token))
+ self.assertTrue(self.is_access_token_valid(nonrefreshable_access_token))
+
+ # Advance to 61 s (just past 1 minute, the time of expiry)
+ self.reactor.advance(2.0)
+
+ # Only the non-refreshable token is still valid.
+ self.assertFalse(self.is_access_token_valid(refreshable_access_token))
+ self.assertTrue(self.is_access_token_valid(nonrefreshable_access_token))
+
+ # Advance to 599 s (just shy of 10 minutes, the time of expiry)
+ self.reactor.advance(599.0 - 61.0)
+
+ # It's still the case that only the non-refreshable token is still valid.
+ self.assertFalse(self.is_access_token_valid(refreshable_access_token))
+ self.assertTrue(self.is_access_token_valid(nonrefreshable_access_token))
+
+ # Advance to 601 s (just past 10 minutes, the time of expiry)
+ self.reactor.advance(2.0)
+
+ # Now neither token is valid.
+ self.assertFalse(self.is_access_token_valid(refreshable_access_token))
+ self.assertFalse(self.is_access_token_valid(nonrefreshable_access_token))
+
+ @override_config(
{"refreshable_access_token_lifetime": "1m", "refresh_token_lifetime": "2m"}
)
def test_refresh_token_expiry(self):
@@ -685,7 +761,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
"type": "m.login.password",
"user": "test",
"password": self.user_pass,
- "org.matrix.msc2918.refresh_token": True,
+ "refresh_token": True,
}
login_response = self.make_request(
"POST",
@@ -735,7 +811,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
"type": "m.login.password",
"user": "test",
"password": self.user_pass,
- "org.matrix.msc2918.refresh_token": True,
+ "refresh_token": True,
}
login_response = self.make_request(
"POST",
@@ -792,7 +868,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
"type": "m.login.password",
"user": "test",
"password": self.user_pass,
- "org.matrix.msc2918.refresh_token": True,
+ "refresh_token": True,
}
login_response = self.make_request(
"POST",
@@ -804,7 +880,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
# This first refresh should work properly
first_refresh_response = self.make_request(
"POST",
- "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
+ "/_matrix/client/v1/refresh",
{"refresh_token": login_response.json_body["refresh_token"]},
)
self.assertEqual(
@@ -814,7 +890,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
# This one as well, since the token in the first one was never used
second_refresh_response = self.make_request(
"POST",
- "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
+ "/_matrix/client/v1/refresh",
{"refresh_token": login_response.json_body["refresh_token"]},
)
self.assertEqual(
@@ -824,7 +900,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
# This one should not, since the token from the first refresh is not valid anymore
third_refresh_response = self.make_request(
"POST",
- "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
+ "/_matrix/client/v1/refresh",
{"refresh_token": first_refresh_response.json_body["refresh_token"]},
)
self.assertEqual(
@@ -852,7 +928,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
# Now that the access token from the last valid refresh was used once, refreshing with the N-1 token should fail
fourth_refresh_response = self.make_request(
"POST",
- "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
+ "/_matrix/client/v1/refresh",
{"refresh_token": login_response.json_body["refresh_token"]},
)
self.assertEqual(
@@ -862,7 +938,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
# But refreshing from the last valid refresh token still works
fifth_refresh_response = self.make_request(
"POST",
- "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
+ "/_matrix/client/v1/refresh",
{"refresh_token": second_refresh_response.json_body["refresh_token"]},
)
self.assertEqual(
|
