Challenge - 5 Problems
Refresh Token Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
❓ component_behavior
intermediate2:00remaining
What happens when a refresh token is expired in this Spring Boot code?
Consider this simplified Spring Boot controller method that handles refresh tokens. What will be the HTTP response status if the refresh token is expired?
Spring Boot
public ResponseEntity<?> refreshToken(@RequestBody TokenRefreshRequest request) {
String requestRefreshToken = request.getRefreshToken();
return refreshTokenService.findByToken(requestRefreshToken)
.map(refreshTokenService::verifyExpiration)
.map(RefreshToken::getUser)
.map(user -> {
String token = jwtUtils.generateTokenFromUsername(user.getUsername());
return ResponseEntity.ok(new TokenRefreshResponse(token, requestRefreshToken));
})
.orElseThrow(() -> new TokenRefreshException(requestRefreshToken, "Refresh token is not in database!"));
}Attempts:
2 left
💡 Hint
Look at what happens when verifyExpiration fails or token is not found.
✗ Incorrect
If the refresh token is expired, verifyExpiration throws a TokenRefreshException. This exception is caught by the global exception handler which returns HTTP 403 Forbidden.
❓ state_output
intermediate2:00remaining
What is the value of the new access token after refresh?
Given this snippet from a refresh token service, what will be the value of the new access token returned?
Spring Boot
public String generateTokenFromUsername(String username) {
return Jwts.builder()
.setSubject(username)
.setIssuedAt(new Date())
.setExpiration(new Date(System.currentTimeMillis() + 600000))
.signWith(SignatureAlgorithm.HS512, jwtSecret)
.compact();
}
// Assume username = "alice" and jwtSecret = "secretKey"Attempts:
2 left
💡 Hint
The method builds a JWT with the username as subject and signs it.
✗ Incorrect
The method creates a JWT token with the username as the subject, sets issued and expiration times, and signs it with the secret key. The token is a compact JWT string.
📝 Syntax
advanced2:30remaining
Which option correctly defines a RefreshToken entity with expiration date?
Choose the correct Java entity class definition for a RefreshToken with fields: id (Long), token (String), expiryDate (Instant), and user (User).
Attempts:
2 left
💡 Hint
Check the correct annotation for user relationship and the type for expiryDate.
✗ Incorrect
Option C correctly uses @Id for id, Instant for expiryDate, and @ManyToOne for user relationship which is typical for many tokens per user.
🔧 Debug
advanced2:00remaining
Why does this refresh token validation code throw NullPointerException?
Examine this code snippet that validates a refresh token. Why does it throw NullPointerException sometimes?
Spring Boot
public RefreshToken verifyExpiration(RefreshToken token) {
if (token.getExpiryDate().compareTo(Instant.now()) < 0) {
refreshTokenRepository.delete(token);
throw new TokenRefreshException(token.getToken(), "Refresh token expired");
}
return token;
}
// token can be null if not found in DBAttempts:
2 left
💡 Hint
Consider what happens if the token argument is null.
✗ Incorrect
If token is null, calling token.getExpiryDate() causes NullPointerException. The method does not check for null before accessing token fields.
🧠 Conceptual
expert2:30remaining
What is the main security benefit of using a refresh token pattern in Spring Boot?
Why do applications use refresh tokens instead of just long-lived access tokens?
Attempts:
2 left
💡 Hint
Think about what happens if an access token is stolen and how refresh tokens help.
✗ Incorrect
Using refresh tokens allows access tokens to be short-lived, so if an access token is stolen, it expires quickly. The refresh token can be revoked to prevent further access.