Validate user during cookie refresh

oauthproxy.go

@@ -302,7 +302,7 @@ func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (e
 	} else if p.CookieRefresh != time.Duration(0) {
 		refresh_threshold := time.Now().Add(p.CookieRefresh)
 		if refresh_threshold.Unix() > timestamp.Unix() {
-			ok = p.ValidateToken(access_token)
+			ok = p.Validator(email) && p.ValidateToken(access_token)
 			if ok {
 				p.SetCookie(rw, req, value)
 			}

oauthproxy_test.go

@@ -397,6 +397,7 @@ type ProcessCookieTest struct {
 	req           *http.Request
 	backend       *httptest.Server
 	response_code int
+	validate_user bool
 }
 
 func NewProcessCookieTest() *ProcessCookieTest {
@@ -414,7 +415,7 @@ func NewProcessCookieTest() *ProcessCookieTest {
 	pc_test.opts.Validate()
 
 	pc_test.proxy = NewOauthProxy(pc_test.opts, func(email string) bool {
-		return true
+		return pc_test.validate_user
 	})
 
 	// Now, zero-out proxy.CookieRefresh for the cases that don't involve
@@ -422,6 +423,7 @@ func NewProcessCookieTest() *ProcessCookieTest {
 	pc_test.proxy.CookieRefresh = time.Duration(0)
 	pc_test.rw = httptest.NewRecorder()
 	pc_test.req, _ = http.NewRequest("GET", "/", strings.NewReader(""))
+	pc_test.validate_user = true
 	return &pc_test
 }
 
@@ -529,3 +531,19 @@ func TestProcessCookieFailIfRefreshSetAndTokenNoLongerValid(t *testing.T) {
 	assert.Equal(t, false, ok)
 	assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
 }
+
+func TestProcessCookieFailIfRefreshSetAndUserNoLongerValid(t *testing.T) {
+	pc_test := NewProcessCookieTest()
+	pc_test.InstantiateBackend()
+	defer pc_test.Close()
+	pc_test.validate_user = false
+
+	cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token")
+	cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
+	pc_test.req.AddCookie(cookie)
+
+	pc_test.proxy.CookieRefresh = time.Duration(24) * time.Hour
+	_, _, _, ok := pc_test.ProcessCookie()
+	assert.Equal(t, false, ok)
+	assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
+}