Merge pull request #5484 from AzureAD/2130019_fix_cache_cred_lookup

2130019. Fix cache credential look-up.

Author: konstantin-msft

change/@azure-msal-common-1c5b94a0-f7bc-4296-98bf-754bce80f004.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Fix cache credential look-up (#5484)",
+  "packageName": "@azure/msal-common",
+  "email": "kshabelko@microsoft.com",
+  "dependentChangeType": "patch"
+}

lib/msal-common/src/cache/entities/CredentialEntity.ts

@@ -108,17 +108,16 @@ export class CredentialEntity {
      * @param key
      */
     static getCredentialType(key: string): string {
-        // First keyword search will match all "AccessToken" and "AccessToken_With_AuthScheme" credentials
-        if (key.indexOf(CredentialType.ACCESS_TOKEN.toLowerCase()) !== -1) {
-            // Perform second search to differentiate between "AccessToken" and "AccessToken_With_AuthScheme" credential types
-            if (key.indexOf(CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME.toLowerCase()) !== -1) {
-                return CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;
+        const separator = Separators.CACHE_KEY_SEPARATOR;
+        // Match host names like "login.microsoftonline.com", "https://accounts.google.com:4000", etc.
+        const domainRe = "(https?:\\/\\/)?([\\w-]+\\.)*([\\w-]{1,63})(\\.(\\w{2,3}))(\\:[0-9]{4,5})?";
+
+        for (const credKey of Object.keys(CredentialType)) {
+            const credVal = CredentialType[credKey].toLowerCase();
+            // Verify credential type is preceded by a valid host name (environment)
+            if (key.toLowerCase().search(`(?<=${separator}${domainRe})${separator}${credVal}${separator}`) !== -1) {
+                return CredentialType[credKey];
             }
-            return CredentialType.ACCESS_TOKEN;
-        } else if (key.indexOf(CredentialType.ID_TOKEN.toLowerCase()) !== -1) {
-            return CredentialType.ID_TOKEN;
-        } else if (key.indexOf(CredentialType.REFRESH_TOKEN.toLowerCase()) !== -1) {
-            return CredentialType.REFRESH_TOKEN;
         }
 
         return Constants.NOT_DEFINED;

lib/msal-common/test/cache/entities/CredentialEntity.spec.ts

@@ -0,0 +1,135 @@
+import { AccessTokenEntity, Constants, CredentialEntity, CredentialType } from "../../../src";
+import {TEST_CONFIG, TEST_DATA_CLIENT_INFO} from "../../test_kit/StringConstants";
+
+describe("CredentialEntity.ts Unit Tests", () => {
+
+    const clientId = TEST_CONFIG.MSAL_CLIENT_ID;
+    const homeAccountId = `${TEST_DATA_CLIENT_INFO.TEST_UID}.${TEST_DATA_CLIENT_INFO.TEST_UTID}`;
+
+    describe("Get credential type", () => {
+        it("GUID homeAccountId - Is access token", () => {
+            const atEntity = new AccessTokenEntity();
+            Object.assign(atEntity, {
+                homeAccountId,
+                environment: "login.microsoftonline.com",
+                credentialType: "AccessToken",
+                clientId: "mock_client_id",
+                secret: "an access token sample",
+                realm: "microsoft",
+                target: "scope6 scope7",
+                cachedAt: "1000",
+                expiresOn: "4600",
+                extendedExpiresOn: "4600",
+                tokenType: "Bearer"
+            });
+
+            const atKey = atEntity.generateCredentialKey();
+
+            expect(CredentialEntity.getCredentialType(atKey)).toEqual(CredentialType.ACCESS_TOKEN);
+        });
+
+        it("String homeAccountId - Is access token", () => {
+            const atEntity = new AccessTokenEntity();
+            Object.assign(atEntity, {
+                homeAccountId: "homeAccountId",
+                environment: "login.microsoftonline.com",
+                credentialType: "AccessToken",
+                clientId: "mock_client_id",
+                secret: "an access token sample",
+                realm: "microsoft",
+                target: "scope6 scope7",
+                cachedAt: "1000",
+                expiresOn: "4600",
+                extendedExpiresOn: "4600",
+                tokenType: "Bearer"
+            });
+
+            const atKey = atEntity.generateCredentialKey();
+
+            expect(CredentialEntity.getCredentialType(atKey)).toEqual(CredentialType.ACCESS_TOKEN);
+        });
+
+        it("Missing homeAccountId - is access token", () => {
+            const atEntity = new AccessTokenEntity();
+            Object.assign(atEntity, {
+                homeAccountId: Constants.EMPTY_STRING,
+                environment: "login.microsoftonline.com",
+                credentialType: "AccessToken",
+                clientId: "mock_client_id",
+                secret: "an access token sample",
+                realm: "microsoft",
+                target: "scope6 scope7",
+                cachedAt: "1000",
+                expiresOn: "4600",
+                extendedExpiresOn: "4600",
+                tokenType: "Bearer"
+            });
+
+            const atKey = atEntity.generateCredentialKey();
+
+            expect(CredentialEntity.getCredentialType(atKey)).toEqual(CredentialType.ACCESS_TOKEN);
+        });
+
+        it("Host name with prefix and port - Is access token", () => {
+            const atEntity = new AccessTokenEntity();
+            Object.assign(atEntity, {
+                homeAccountId,
+                environment: "https://login.microsoftonline.com:40000",
+                credentialType: "AccessToken",
+                clientId: "mock_client_id",
+                secret: "an access token sample",
+                realm: "microsoft",
+                target: "scope6 scope7",
+                cachedAt: "1000",
+                expiresOn: "4600",
+                extendedExpiresOn: "4600",
+                tokenType: "Bearer"
+            });
+
+            const atKey = atEntity.generateCredentialKey();
+
+            expect(CredentialEntity.getCredentialType(atKey)).toEqual(CredentialType.ACCESS_TOKEN);
+        });
+
+        it("Host name with multiple TLDs - Is access token", () => {
+            const atEntity = new AccessTokenEntity();
+            Object.assign(atEntity, {
+                homeAccountId,
+                environment: "login.microsoftonline.us.com:40000",
+                credentialType: "AccessToken",
+                clientId: "mock_client_id",
+                secret: "an access token sample",
+                realm: "microsoft",
+                target: "scope6 scope7",
+                cachedAt: "1000",
+                expiresOn: "4600",
+                extendedExpiresOn: "4600",
+                tokenType: "Bearer"
+            });
+
+            const atKey = atEntity.generateCredentialKey();
+
+            expect(CredentialEntity.getCredentialType(atKey)).toEqual(CredentialType.ACCESS_TOKEN);
+        });
+
+        it("Metadata key - empty result", () => {
+            const key = `authority-metadata-${clientId}-login.microsoftonline.com`;
+            expect(CredentialEntity.getCredentialType(key)).toEqual(Constants.NOT_DEFINED);
+        });
+
+        it("Partial workflow match - empty result", () => {
+            const key = `${homeAccountId}-accessTokenWorkflow-login.microsoftonline.com-someothertoken-${clientId}---`;
+            expect(CredentialEntity.getCredentialType(key)).toEqual(Constants.NOT_DEFINED);
+        });
+
+        it("Invalid host name - empty result", () => {
+            const key = `${homeAccountId}-login.microsoftonline-accessToken-${clientId}---`;
+            expect(CredentialEntity.getCredentialType(key)).toEqual(Constants.NOT_DEFINED);
+        });
+
+        it("Empty host name - empty result", () => {
+            const key = `${homeAccountId}--accessToken-${clientId}---`;
+            expect(CredentialEntity.getCredentialType(key)).toEqual(Constants.NOT_DEFINED);
+        });
+    })
+});