From fe4b5ada8c92b1aa8e7d174701b21993fe4bf886 Mon Sep 17 00:00:00 2001
From: Joe Grandja <10884212+jgrandja@users.noreply.github.com>
Date: Tue, 3 Jun 2025 09:16:55 -0400
Subject: [PATCH] Polish gh-1997

---
 ...eviceVerificationAuthenticationProvider.java |  5 +++++
 ...VerificationAuthenticationProviderTests.java | 17 ++++++++++-------
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java
index 3009c86b..a44eb6a7 100644
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java
@@ -22,6 +22,7 @@ import java.util.Set;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import org.springframework.core.log.LogMessage;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
@@ -114,6 +115,10 @@ public final class OAuth2DeviceVerificationAuthenticationProvider implements Aut
 			if (!userCode.isInvalidated()) {
 				authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, userCode.getToken());
 				this.authorizationService.save(authorization);
+				if (this.logger.isWarnEnabled()) {
+					this.logger.warn(LogMessage.format("Invalidated user code used by registered client '%s'",
+							authorization.getRegisteredClientId()));
+				}
 			}
 			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
 		}
diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProviderTests.java
index da379703..fd6a54d6 100644
--- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProviderTests.java
+++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProviderTests.java
@@ -56,6 +56,7 @@ import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
@@ -147,7 +148,7 @@ public class OAuth2DeviceVerificationAuthenticationProviderTests {
 	}
 
 	@Test
-	public void authenticateWhenUserCodeIsInvalidedThenThrowOAuth2AuthenticationException() {
+	public void authenticateWhenUserCodeIsInvalidatedThenThrowOAuth2AuthenticationException() {
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 		// @formatter:off
 		OAuth2Authorization authorization = TestOAuth2Authorizations
@@ -157,7 +158,9 @@ public class OAuth2DeviceVerificationAuthenticationProviderTests {
 				.attribute(OAuth2ParameterNames.SCOPE, registeredClient.getScopes())
 				.build();
 		// @formatter:on
-		given(this.authorizationService.findByToken(anyString(), any(OAuth2TokenType.class))).willReturn(authorization);
+		given(this.authorizationService.findByToken(eq(USER_CODE),
+				eq(OAuth2DeviceVerificationAuthenticationProvider.USER_CODE_TOKEN_TYPE)))
+			.willReturn(authorization);
 		Authentication authentication = createAuthentication();
 		// @formatter:off
 		assertThatExceptionOfType(OAuth2AuthenticationException.class)
@@ -174,7 +177,7 @@ public class OAuth2DeviceVerificationAuthenticationProviderTests {
 	}
 
 	@Test
-	public void authenticateWhenUserCodeIsExpiredButNotInvalidatedThenInvalidateUserCodeAndThrowOAuth2AuthenticationException() {
+	public void authenticateWhenUserCodeIsExpiredAndNotInvalidatedThenThrowOAuth2AuthenticationException() {
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 		// @formatter:off
 		OAuth2Authorization authorization = TestOAuth2Authorizations
@@ -185,7 +188,9 @@ public class OAuth2DeviceVerificationAuthenticationProviderTests {
 				.attribute(OAuth2ParameterNames.SCOPE, registeredClient.getScopes())
 				.build();
 		// @formatter:on
-		given(this.authorizationService.findByToken(anyString(), any(OAuth2TokenType.class))).willReturn(authorization);
+		given(this.authorizationService.findByToken(eq(USER_CODE),
+				eq(OAuth2DeviceVerificationAuthenticationProvider.USER_CODE_TOKEN_TYPE)))
+			.willReturn(authorization);
 		Authentication authentication = createAuthentication();
 		// @formatter:off
 		assertThatExceptionOfType(OAuth2AuthenticationException.class)
@@ -203,9 +208,7 @@ public class OAuth2DeviceVerificationAuthenticationProviderTests {
 		verifyNoInteractions(this.registeredClientRepository, this.authorizationConsentService);
 
 		OAuth2Authorization updatedAuthorization = authorizationCaptor.getValue();
-		assertThat(updatedAuthorization.getToken(OAuth2UserCode.class))
-				.extracting(isInvalidated())
-				.isEqualTo(true);
+		assertThat(updatedAuthorization.getToken(OAuth2UserCode.class)).extracting(isInvalidated()).isEqualTo(true);
 	}
 
 	@Test