Handle OAuth / API properly
efef opened this issue · 3 comments
efef commented
- Deal with expired
access_token(obtain a new one usingrefresh_token) - Deal with expired (rejected)
refresh_token(start new authorization) - Obtain
/profile_configbefore attempting to connect to the VPN - Obtain new certificate when current one is no longer valid,
/check_certificate - Handle OAuth errors, e.g.
access_tokenthat is not yet expired is rejected
Please review API documentation and OAuth specifications and/or AppAuth documentation on how to deal with errors.
efef commented
You can use https://frkovpn.tuxed.net to test with to make sure you handled all edge cases:
- browser session expires after 3 minutes
- OAuth refresh_token expires after 3 minutes
- OAuth access_token expires after 1 minute
- X.509 client certificate expires after 3 minutes
- The whole instance is completely reset (new CA is deployed, OpenVPN server processes restarted) every hour on the exact hour.
- the app MUST recover gracefully (i.e. re-request authorization) in this situation!
That should be enough to easily test all possible cases.
efef commented
Other cases that need testing:
- disabled user account should prevent them from connecting as well (AUTH_FAILED OpenVPN)
- but more importantly: the app should not even try to connect in that case as the
/profile_configand/check_certificatecalls would fail in the first place
- but more importantly: the app should not even try to connect in that case as the
- user revokes authorization manually in the portal under
/account
johankool commented
I've gone thru the code and did some double checks. It seems to me that this is all handled correctly.