Skip to content

Refactor token validation in CookieAuthenticationOptionsExtensions #24526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
maliming wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

Refactor token validation in CookieAuthenticationOptionsExtensions #24526

maliming wants to merge 2 commits into from
+44 −86

Conversation

@maliming
Copy link
Member

@maliming maliming commented Jan 2, 2026

Resolve #24468

Copilot AI review requested due to automatic review settings January 2, 2026 08:04
@maliming maliming added this to the 10.2-preview milestone Jan 2, 2026
Copilot AI reviewed Jan 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors token validation in the CookieAuthenticationOptionsExtensions to improve maintainability, fix logic errors, and consolidate duplicate code. The changes resolve issue #24468 by fixing the token expiration check logic and improving the handling of introspection endpoints.

Key Changes:

  • Fixed token expiration check logic to properly validate tokens expiring within the advance window (changed from checking expired tokens to checking soon-to-expire tokens)
  • Added support for chaining multiple OnValidatePrincipal handlers by preserving and invoking the previous handler
  • Consolidated duplicate code by marking IntrospectAccessToken as obsolete and delegating to CheckTokenExpiration

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs Core refactoring with bug fixes: corrected token expiration logic, improved introspection endpoint handling with fallback logic, enhanced logging messages with structured parameters, fixed async method modifiers, and added previousHandler chaining support
framework/src/Volo.Abp.AspNetCore.Components.Server/Microsoft/AspNetCore/Authentication/Cookies/CookieAuthenticationOptionsExtensions.cs Simplified by removing duplicate implementation and delegating to the main CheckTokenExpiration method, marked old method as obsolete

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@maliming maliming requested a review from EngincanV January 2, 2026 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EngincanV EngincanV Awaiting requested review from EngincanV

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

abp-framework

Projects

None yet

Milestone

10.2-preview

Development

Successfully merging this pull request may close these issues.

Standardize CheckTokenExpiration and IntrospectAccessToken methods.

2 participants

@maliming