protected boolean validateToken()

in gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java [489:542]

• 48 lines of code
• 11 McCabe index (conditional complexity)

  protected boolean validateToken(final HttpServletRequest request,
                                  final HttpServletResponse response,
                                  final FilterChain chain,
                                  final String tokenId,
                                  final String passcode)
          throws IOException, ServletException {

    final String displayableTokenId = tokenId == null ? "N/A" : Tokens.getTokenIDDisplayText(tokenId);
    if (tokenStateService != null) {
      try {
        if (tokenId != null) {
          if (tokenIsStillValid(tokenId)) {
            final TokenMetadata tokenMetadata = tokenStateService == null ? null : tokenStateService.getTokenMetadata(tokenId);
            if (isTokenEnabled(tokenMetadata)) {
              if (isIdleTimeoutLimitNotExceeded(tokenMetadata)) {
                if (hasSignatureBeenVerified(passcode) || validatePasscode(tokenId, passcode)) {
                  markLastUsedAt(tokenId, tokenMetadata);
                  return true;
                } else {
                  log.wrongPasscodeToken(tokenId);
                  handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, "Invalid passcode");
                }
              } else {
                // tokenMetadata at this point cannot be null (see isIdleTimeoutLimitNotExceeded(...))
                log.idleTimoutExceeded(tokenMetadata.getUserName(), displayableTokenId, idleTimeoutSeconds);
                handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, "Token " + displayableTokenId + " exceeded idle timeout");
              }
            } else {
              log.disabledToken(displayableTokenId);
              handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, "Token " + displayableTokenId + " is disabled");
            }
          } else {
            log.tokenHasExpired(displayableTokenId);
            // Explicitly evict the record of this token's signature verification (if present).
            // There is no value in keeping this record for expired tokens, and explicitly removing them may prevent
            // records for other valid tokens from being prematurely evicted from the cache.
            removeSignatureVerificationRecord(passcode);
            handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, "Token has expired");
          }
        } else {
          log.missingTokenPasscode();
          handleValidationError(request, response, HttpServletResponse.SC_BAD_REQUEST, "Bad request: missing token passcode.");
        }
      } catch (UnknownTokenException e) {
        log.unableToVerifyExpiration(e);
        handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, e.getMessage());
      }
    } else {
      log.unableToVerifyPasscodeToken(displayableTokenId);
      handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, TOKEN_STATE_SERVICE_DISABLED_ERROR);
    }

    return false;
  }