6 files changed, 66 insertions, 5 deletions

diff --git a/config/defaults.yml b/config/defaults.yml
index 910fbf8..8d81668 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -16,6 +16,8 @@ cert_options: &cert_options
 common: &common
   force_ssl: false
   pagination_size: 30
+  auth:
+    token_expires_after: 60
 
 development:
   <<: *dev_ca
diff --git a/users/app/controllers/controller_extension/token_authentication.rb b/users/app/controllers/controller_extension/token_authentication.rb
index 3e2816d..530294a 100644
--- a/users/app/controllers/controller_extension/token_authentication.rb
+++ b/users/app/controllers/controller_extension/token_authentication.rb
@@ -5,7 +5,7 @@ module ControllerExtension::TokenAuthentication
     authenticate_with_http_token do |token_id, options|
       @token = Token.find(token_id)
     end
-    @token.user if @token
+    @token.authenticate if @token
   end
 
   def logout
diff --git a/users/app/models/token.rb b/users/app/models/token.rb
index 3de0059..dd87344 100644
--- a/users/app/models/token.rb
+++ b/users/app/models/token.rb
@@ -4,11 +4,41 @@ class Token < CouchRest::Model::Base
 
   belongs_to :user
 
+  # timestamps! does not create setters and only sets updated_at
+  # if the object has changed and been saved. Instead of triggering
+  # that we rather use our own property we have control over:
+  property :last_seen_at, Time, accessible: false
+
   validates :user_id, presence: true
 
+  def authenticate
+    if expired?
+      destroy
+      return nil
+    else
+      touch
+      return user
+    end
+  end
+
+  def touch
+    self.last_seen_at = Time.now
+    save
+  end
+
+  def expired?
+    expires_after and
+    last_seen_at + expires_after.minutes < Time.now
+  end
+
+  def expires_after
+    APP_CONFIG[:auth] && APP_CONFIG[:auth][:token_expires_after]
+  end
+
   def initialize(*args)
     super
     self.id = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+    self.last_seen_at = Time.now
   end
 
   design do
diff --git a/users/test/functional/test_helpers_test.rb b/users/test/functional/test_helpers_test.rb
index 9bd01ad..845e516 100644
--- a/users/test/functional/test_helpers_test.rb
+++ b/users/test/functional/test_helpers_test.rb
@@ -21,7 +21,7 @@ class TestHelpersTest < ActionController::TestCase
   def test_login_stubs_token
     login
     assert @token
-    assert_equal @current_user, @token.user
+    assert_equal @current_user, @token.authenticate
   end
 
   def test_login_adds_token_header
diff --git a/users/test/support/auth_test_helper.rb b/users/test/support/auth_test_helper.rb
index 47147fc..609f115 100644
--- a/users/test/support/auth_test_helper.rb
+++ b/users/test/support/auth_test_helper.rb
@@ -41,7 +41,7 @@ module AuthTestHelper
   protected
 
   def header_for_token_auth
-    @token = find_record(:token, :user => @current_user)
+    @token = find_record(:token, :authenticate => @current_user)
     ActionController::HttpAuthentication::Token.encode_credentials @token.id
   end
 end
diff --git a/users/test/unit/token_test.rb b/users/test/unit/token_test.rb
index bff6b71..f56c576 100644
--- a/users/test/unit/token_test.rb
+++ b/users/test/unit/token_test.rb
@@ -1,19 +1,20 @@
 require 'test_helper'
 
 class ClientCertificateTest < ActiveSupport::TestCase
+  include StubRecordHelper
 
   setup do
-    @user = FactoryGirl.create(:user)
+    @user = find_record :user
   end
 
   teardown do
-    @user.destroy
   end
 
   test "new token for user" do
     sample = Token.new(:user_id => @user.id)
     assert sample.valid?
     assert_equal @user.id, sample.user_id
+    assert_equal @user, sample.authenticate
   end
 
   test "token id is secure" do
@@ -34,4 +35,32 @@ class ClientCertificateTest < ActiveSupport::TestCase
     assert !sample.valid?, "Token should require a user record"
   end
 
+  test "token updates timestamps" do
+    sample = Token.new(user_id: @user.id)
+    sample.last_seen_at = 1.minute.ago
+    sample.expects(:save)
+    assert_equal @user, sample.authenticate
+    assert Time.now - sample.last_seen_at < 1.minute, "last_seen_at has not been updated"
+  end
+
+  test "token will not expire if token_expires_after is not set" do
+    sample = Token.new(user_id: @user.id)
+    sample.last_seen_at = 2.years.ago
+    with_config auth: {} do
+      sample.expects(:save)
+      assert_equal @user, sample.authenticate
+    end
+  end
+
+  test "expired token returns nil on authenticate" do
+    sample = Token.new(user_id: @user.id)
+    sample.last_seen_at = 2.hours.ago
+    with_config auth: {token_expires_after: 60} do
+      sample.expects(:destroy)
+      assert_nil sample.authenticate
+    end
+  end
+
+
+
 end