Limit the number of OAuth2AuthorizationRequest per session

candrews · candrews · commit 9b1a85d992f3 · 2021-04-05T12:07:38.000-04:00
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/HttpSessionOAuth2AuthorizationRequestRepository.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/HttpSessionOAuth2AuthorizationRequestRepository.java
@@ -22,6 +22,7 @@
 import java.time.Instant;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Map.Entry;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -58,6 +59,8 @@ public final class HttpSessionOAuth2AuthorizationRequestRepository
 
 	private Duration authorizationRequestTimeToLive = Duration.ofSeconds(120);
 
+	private int maxActiveAuthorizationRequestsPerSession = 10;
+
 	@Override
 	public OAuth2AuthorizationRequest loadAuthorizationRequest(HttpServletRequest request) {
 		Assert.notNull(request, "request cannot be null");
@@ -84,6 +87,11 @@ public void saveAuthorizationRequest(OAuth2AuthorizationRequest authorizationReq
 		Map<String, OAuth2AuthorizationRequestReference> authorizationRequests = this.getAuthorizationRequests(request);
 		authorizationRequests.put(state, new OAuth2AuthorizationRequestReference(authorizationRequest,
 				this.clock.instant().plus(this.authorizationRequestTimeToLive)));
+		if (authorizationRequests.size() > this.maxActiveAuthorizationRequestsPerSession) {
+			authorizationRequests.entrySet().stream()
+					.sorted((e, f) -> e.getValue().expiresAt.compareTo(f.getValue().expiresAt)).findFirst()
+					.map(Entry::getKey).ifPresent(authorizationRequests::remove);
+		}
 		request.getSession().setAttribute(this.sessionAttributeName, authorizationRequests);
 	}
 
@@ -167,6 +175,18 @@ public void setAuthorizationRequestTimeToLive(Duration authorizationRequestTimeT
 		this.authorizationRequestTimeToLive = authorizationRequestTimeToLive;
 	}
 
+	/**
+	 * Sets the maximum number of {@link OAuth2AuthorizationRequest} that can be
+	 * stored/active for a session. If the maximum number are present in a session when an
+	 * attempt is made to save another one, then the oldest will be removed.
+	 * @param maxActiveAuthorizationRequests must not be negative.
+	 */
+	public void setMaxActiveAuthorizationRequestsPerSession(int maxActiveAuthorizationRequestsPerSession) {
+		Assert.state(maxActiveAuthorizationRequestsPerSession > 0,
+				"maxActiveAuthorizationRequestsPerSession must be greater than zero");
+		this.maxActiveAuthorizationRequestsPerSession = maxActiveAuthorizationRequestsPerSession;
+	}
+
 	private static final class OAuth2AuthorizationRequestReference implements Serializable {
 
 		private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/HttpSessionOAuth2AuthorizationRequestRepositoryTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/HttpSessionOAuth2AuthorizationRequestRepositoryTests.java
@@ -268,6 +268,36 @@ public void removeAuthorizationRequestWhenExpired() {
 		assertThat(loadedAuthorizationRequest2).isEqualTo(authorizationRequest2);
 	}
 
+	@Test
+	public void removeOldestAuthorizationRequestWhenMoreThanMax() {
+		this.authorizationRequestRepository.setMaxActiveAuthorizationRequestsPerSession(2);
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		String state1 = "state-1122";
+		OAuth2AuthorizationRequest authorizationRequest1 = createAuthorizationRequest().state(state1).build();
+		this.authorizationRequestRepository.saveAuthorizationRequest(authorizationRequest1, request, response);
+		String state2 = "state-3344";
+		OAuth2AuthorizationRequest authorizationRequest2 = createAuthorizationRequest().state(state2).build();
+		this.authorizationRequestRepository.saveAuthorizationRequest(authorizationRequest2, request, response);
+		String state3 = "state-4455";
+		OAuth2AuthorizationRequest authorizationRequest3 = createAuthorizationRequest().state(state3).build();
+		this.authorizationRequestRepository.saveAuthorizationRequest(authorizationRequest3, request, response);
+		request.addParameter(OAuth2ParameterNames.STATE, state1);
+		OAuth2AuthorizationRequest loadedAuthorizationRequest1 = this.authorizationRequestRepository
+				.loadAuthorizationRequest(request);
+		assertThat(loadedAuthorizationRequest1).isNull();
+		request.removeParameter(OAuth2ParameterNames.STATE);
+		request.addParameter(OAuth2ParameterNames.STATE, state2);
+		OAuth2AuthorizationRequest loadedAuthorizationRequest2 = this.authorizationRequestRepository
+				.loadAuthorizationRequest(request);
+		assertThat(loadedAuthorizationRequest2).isEqualTo(authorizationRequest2);
+		request.removeParameter(OAuth2ParameterNames.STATE);
+		request.addParameter(OAuth2ParameterNames.STATE, state3);
+		OAuth2AuthorizationRequest loadedAuthorizationRequest3 = this.authorizationRequestRepository
+				.loadAuthorizationRequest(request);
+		assertThat(loadedAuthorizationRequest3).isEqualTo(authorizationRequest3);
+	}
+
 	private OAuth2AuthorizationRequest.Builder createAuthorizationRequest() {
 		return OAuth2AuthorizationRequest.authorizationCode().authorizationUri("https://example.com/oauth2/authorize")
 				.clientId("client-id-1234").state("state-1234");
