VerificationToken with expiration date

4ae89628 · Aleksandr Sharaban · Matija Obreza · cbc9c3e6 · 4ae89628 · 4ae89628
Commit 4ae89628 authored Aug 12, 2016 by Aleksandr Sharaban Committed by Matija Obreza Aug 15, 2016
16 changed files
--- a/src/main/java/org/genesys2/server/model/impl/VerificationToken.java
+++ b/src/main/java/org/genesys2/server/model/impl/VerificationToken.java
@@ -16,6 +16,7 @@

 package org.genesys2.server.model.impl;

+import java.util.Date;
 import java.util.UUID;

 import javax.persistence.Column;
@@ -46,6 +47,9 @@ public class VerificationToken extends AuditedModel {
 	@Column(length = 120, nullable = true)
 	private String data;

+	@Column(nullable = false)
+	private Date validUntil;
+
 	@PrePersist
 	void generateUuid() {
 		if (this.uuid == null) {
@@ -84,4 +88,16 @@ public class VerificationToken extends AuditedModel {
 	public String getData() {
 		return data;
 	}
+
+	public static long getSerialVersionUID() {
+		return serialVersionUID;
+	}
+
+	public Date getValidUntil() {
+		return validUntil;
+	}
+
+	public void setValidUntil(Date validUntil) {
+		this.validUntil = validUntil;
+	}
 }
--- a/src/main/java/org/genesys2/server/persistence/domain/VerificationTokenRepository.java
+++ b/src/main/java/org/genesys2/server/persistence/domain/VerificationTokenRepository.java
@@ -18,6 +18,10 @@ package org.genesys2.server.persistence.domain;

 import org.genesys2.server.model.impl.VerificationToken;
 import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.Query;
+
+import java.util.Date;

 public interface VerificationTokenRepository extends JpaRepository<VerificationToken, Long> {

@@ -25,4 +29,8 @@ public interface VerificationTokenRepository extends JpaRepository<VerificationT

 	VerificationToken findByUuid(String tokenUuid);

+	@Query("delete from VerificationToken where validUntil < ?1")
+	@Modifying
+	int deleteOlderThan(Date date);
+
 }
--- a/src/main/java/org/genesys2/server/service/EMailVerificationService.java
+++ b/src/main/java/org/genesys2/server/service/EMailVerificationService.java
@@ -19,6 +19,7 @@ package org.genesys2.server.service;
 import org.genesys2.server.model.impl.User;
 import org.genesys2.server.service.PasswordPolicy.PasswordPolicyException;
 import org.genesys2.server.service.TokenVerificationService.NoSuchVerificationTokenException;
+import org.genesys2.server.service.TokenVerificationService.TokenExpiredException;

 public interface EMailVerificationService {

@@ -28,7 +29,7 @@ public interface EMailVerificationService {

 	void cancelValidation(String tokenUuid);

-	void validateEMail(String tokenUuid, String key) throws NoSuchVerificationTokenException;
+	void validateEMail(String tokenUuid, String key) throws NoSuchVerificationTokenException, TokenExpiredException;

-	void changePassword(String tokenUuid, String key, String password) throws NoSuchVerificationTokenException, PasswordPolicyException;
+	void changePassword(String tokenUuid, String key, String password) throws NoSuchVerificationTokenException, PasswordPolicyException, TokenExpiredException;
 }
--- a/src/main/java/org/genesys2/server/service/RequestService.java
+++ b/src/main/java/org/genesys2/server/service/RequestService.java
@@ -51,7 +51,7 @@ public interface RequestService {
 	 * @throws NoPidException 
 	 * @throws EasySMTAException 
 	 */
-	MaterialRequest validateClientRequest(String tokenUuid, String key) throws RequestException, NoSuchVerificationTokenException, NoPidException, EasySMTAException;
+	MaterialRequest validateClientRequest(String tokenUuid, String key) throws RequestException, NoSuchVerificationTokenException, NoPidException, EasySMTAException, TokenVerificationService.TokenExpiredException;

 	/**
 	 * Relay sub-request to holding institute
@@ -63,7 +63,7 @@ public interface RequestService {
 	/**
 	 * Attempt to validate receipt of subrequest
 	 */
-	MaterialSubRequest validateReceipt(String tokenUuid, String key) throws NoSuchVerificationTokenException;
+	MaterialSubRequest validateReceipt(String tokenUuid, String key) throws NoSuchVerificationTokenException, TokenVerificationService.TokenExpiredException;

 	static class RequestException extends Exception {
 		/**

--- a/src/main/java/org/genesys2/server/service/TokenVerificationService.java
+++ b/src/main/java/org/genesys2/server/service/TokenVerificationService.java
@@ -46,7 +46,12 @@ public interface TokenVerificationService {
 	 * @return The consumed token
 	 * @throws NoSuchVerificationTokenException
 	 */
-	VerificationToken consumeToken(String purpose, String tokenUuid, String key) throws NoSuchVerificationTokenException;
+	VerificationToken consumeToken(String purpose, String tokenUuid, String key) throws NoSuchVerificationTokenException, TokenExpiredException;
+
+	/**
+	 * Removes expired verification tokens
+	 */
+	void removeExpired();

 	public static class NoSuchVerificationTokenException extends Exception {

@@ -56,4 +61,13 @@ public interface TokenVerificationService {
 		private static final long serialVersionUID = -1127854381492707753L;
 		
 	}
+
+	public static class TokenExpiredException extends Exception {
+
+		/**
+		 *
+		 */
+		private static final long serialVersionUID = -7556244971909041500L;
+
+	}
 }
--- a/src/main/java/org/genesys2/server/service/impl/EMailVerificationServiceImpl.java
+++ b/src/main/java/org/genesys2/server/service/impl/EMailVerificationServiceImpl.java
@@ -31,6 +31,7 @@ import org.genesys2.server.service.EMailVerificationService;
 import org.genesys2.server.service.PasswordPolicy.PasswordPolicyException;
 import org.genesys2.server.service.TokenVerificationService;
 import org.genesys2.server.service.TokenVerificationService.NoSuchVerificationTokenException;
+import org.genesys2.server.service.TokenVerificationService.TokenExpiredException;
 import org.genesys2.server.service.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
@@ -96,14 +97,14 @@ public class EMailVerificationServiceImpl implements EMailVerificationService {

 	@Override
 	@Transactional
-	public void validateEMail(String tokenUuid, String key) throws NoSuchVerificationTokenException {
+	public void validateEMail(String tokenUuid, String key) throws NoSuchVerificationTokenException, TokenExpiredException {
 		final VerificationToken consumedToken = tokenVerificationService.consumeToken("email-verification", tokenUuid, key);
 		userService.userEmailValidated(consumedToken.getData());
 	}

 	@Override
 	@Transactional(rollbackFor = Throwable.class)
-	public void changePassword(String tokenUuid, String key, String password) throws NoSuchVerificationTokenException, PasswordPolicyException {
+	public void changePassword(String tokenUuid, String key, String password) throws NoSuchVerificationTokenException, PasswordPolicyException, TokenExpiredException {
 		final VerificationToken consumedToken = tokenVerificationService.consumeToken("email-password", tokenUuid, key);
 		try {
 			final User user = userService.getUserByUuid(consumedToken.getData());

--- a/src/main/java/org/genesys2/server/service/impl/RequestServiceImpl.java
+++ b/src/main/java/org/genesys2/server/service/impl/RequestServiceImpl.java
@@ -49,6 +49,7 @@ import org.genesys2.server.service.InstituteService;
 import org.genesys2.server.service.RequestService;
 import org.genesys2.server.service.TokenVerificationService;
 import org.genesys2.server.service.TokenVerificationService.NoSuchVerificationTokenException;
+import org.genesys2.server.service.TokenVerificationService.TokenExpiredException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.i18n.LocaleContextHolder;
@@ -202,7 +203,7 @@ public class RequestServiceImpl implements RequestService {
 	// Rollback for any exception
 	@Override
 	@Transactional
-	public MaterialRequest validateClientRequest(String tokenUuid, String key) throws NoSuchVerificationTokenException, NoPidException, EasySMTAException {
+	public MaterialRequest validateClientRequest(String tokenUuid, String key) throws NoSuchVerificationTokenException, NoPidException, EasySMTAException, TokenExpiredException {
 		final VerificationToken consumedToken = tokenVerificationService.consumeToken(REQUEST_TOKENTYPE, tokenUuid, key);

 		final MaterialRequest materialRequest = requestRepository.findByUuid(consumedToken.getData());
@@ -403,7 +404,7 @@ public class RequestServiceImpl implements RequestService {
 	}

 	@Override
-	public MaterialSubRequest validateReceipt(String tokenUuid, String key) throws NoSuchVerificationTokenException {
+	public MaterialSubRequest validateReceipt(String tokenUuid, String key) throws NoSuchVerificationTokenException, TokenExpiredException {
 		final VerificationToken consumedToken = tokenVerificationService.consumeToken(RECEIPT_TOKENTYPE, tokenUuid, key);

 		final MaterialSubRequest materialSubRequest = subRequestRepository.findByUuid(consumedToken.getData());

--- a/src/main/java/org/genesys2/server/service/impl/TokenVerificationServiceImpl.java
+++ b/src/main/java/org/genesys2/server/service/impl/TokenVerificationServiceImpl.java
@@ -21,17 +21,25 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.genesys2.server.model.impl.VerificationToken;
 import org.genesys2.server.persistence.domain.VerificationTokenRepository;
+import org.genesys2.server.service.JPATokenStoreCleanup;
 import org.genesys2.server.service.TokenVerificationService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.i18n.LocaleContextHolder;
+import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;

+import java.util.Calendar;
+import java.util.Date;
+
 @Service
 @Transactional(readOnly = true)
-public class TokenVerificationServiceImpl implements TokenVerificationService {
+public class TokenVerificationServiceImpl implements TokenVerificationService, JPATokenStoreCleanup {

 	private static final Log LOG = LogFactory.getLog(TokenVerificationServiceImpl.class);

+	private static final int HOURS_UNTIL_INVALID = 4;
+
 	@Autowired
 	private VerificationTokenRepository verificationTokenRepository;

@@ -43,6 +51,12 @@ public class TokenVerificationServiceImpl implements TokenVerificationService {
 		// Store data
 		token.setData(data);
 		token.setKey(RandomStringUtils.randomAlphanumeric(4).toUpperCase());
+
+		Calendar calendar = Calendar.getInstance();
+		calendar.add(Calendar.HOUR_OF_DAY, HOURS_UNTIL_INVALID);
+		Date validUntil = calendar.getTime();
+
+		token.setValidUntil(validUntil);
 		token = verificationTokenRepository.save(token);
 		return token;
 	}
@@ -62,7 +76,7 @@ public class TokenVerificationServiceImpl implements TokenVerificationService {

 	@Override
 	@Transactional
-	public VerificationToken consumeToken(String purpose, String tokenUuid, String key) throws NoSuchVerificationTokenException {
+	public VerificationToken consumeToken(String purpose, String tokenUuid, String key) throws NoSuchVerificationTokenException, TokenExpiredException {
 		final VerificationToken verificationToken = verificationTokenRepository.findByPurposeAndUuid(purpose, tokenUuid);
 		if (verificationToken == null) {
 			LOG.warn("No such verification token " + tokenUuid + " key=" + key);
@@ -74,9 +88,33 @@ public class TokenVerificationServiceImpl implements TokenVerificationService {
 			throw new NoSuchVerificationTokenException();
 		}

+		Date now = Calendar.getInstance().getTime();
+		if (verificationToken.getValidUntil().before(now)) {
+			LOG.error("Verification token=" + verificationToken.getUuid() + " key=" + key + " has expired");
+			throw new TokenExpiredException();
+		}
+
 		// Consume token
 		verificationTokenRepository.delete(verificationToken);
 		return verificationToken;
 	}

+
+	/**
+	 * Cleanup executed every 10 minutes
+	 */
+	@Override
+	@Transactional
+	@Scheduled(fixedDelay = 600000)
+	public void removeExpired() {
+		final Date now = Calendar.getInstance().getTime();
+		if (LOG.isTraceEnabled()) {
+			LOG.trace("Removing expired verification tokens");
+		}
+
+		int count = verificationTokenRepository.deleteOlderThan(now);
+		if (count > 0) {
+			LOG.info("Removed expired verification tokens: " + count);
+		}
+	}
 }
--- a/src/main/java/org/genesys2/server/servlet/controller/RequestController.java
+++ b/src/main/java/org/genesys2/server/servlet/controller/RequestController.java
@@ -29,6 +29,7 @@ import org.genesys2.server.service.GenesysService;
 import org.genesys2.server.service.RequestService;
 import org.genesys2.server.service.RequestService.RequestException;
 import org.genesys2.server.service.RequestService.RequestInfo;
+import org.genesys2.server.service.TokenVerificationService;
 import org.genesys2.server.service.TokenVerificationService.NoSuchVerificationTokenException;
 import org.genesys2.server.service.impl.EasySMTAException;
 import org.genesys2.spring.SecurityContextUtil;
@@ -185,6 +186,10 @@ public class RequestController extends BaseController {
 			_logger.error("Verification token is not valid");
 			model.addAttribute("error", e);
 			return validateClientRequest(model, tokenUuid, null);
+		} catch (TokenVerificationService.TokenExpiredException e) {
+			_logger.error("Verification token has expired");
+			model.addAttribute("error", e);
+			return validateClientRequest(model, tokenUuid, null);
 		} catch (EasySMTAException e) {
 			_logger.error("Error connecting to EasySMTA:  " + e.getMessage());
 			model.addAttribute("error", e);
@@ -220,6 +225,11 @@ public class RequestController extends BaseController {
 		} catch (final NoSuchVerificationTokenException e) {
 			_logger.error("Verification token is not valid");

+			model.addAttribute("error", e);
+			return confirmReceipt(model, tokenUuid, null);
+		} catch (TokenVerificationService.TokenExpiredException e) {
+			_logger.error("Verification token has expired");
+
 			model.addAttribute("error", e);
 			return confirmReceipt(model, tokenUuid, null);
 		}

--- a/src/main/java/org/genesys2/server/servlet/controller/UserProfileController.java
+++ b/src/main/java/org/genesys2/server/servlet/controller/UserProfileController.java
@@ -31,6 +31,7 @@ import org.genesys2.server.service.EMailVerificationService;
 import org.genesys2.server.service.PasswordPolicy.PasswordPolicyException;
 import org.genesys2.server.service.TeamService;
 import org.genesys2.server.service.TokenVerificationService.NoSuchVerificationTokenException;
+import org.genesys2.server.service.TokenVerificationService.TokenExpiredException;
 import org.genesys2.server.service.UserService;
 import org.genesys2.spring.ResourceNotFoundException;
 import org.genesys2.util.ReCaptchaUtil;
@@ -140,7 +141,7 @@ public class UserProfileController extends BaseController {
 		try {
 			emailVerificationService.validateEMail(tokenUuid, key);
 			return "redirect:/profile";
-		} catch (final NoSuchVerificationTokenException e) {
+		} catch (final NoSuchVerificationTokenException | TokenExpiredException e) {
 			// Not valid
 			model.addAttribute("tokenUuid", tokenUuid);
 			model.addAttribute("error", "error");
@@ -215,6 +216,9 @@ public class UserProfileController extends BaseController {
 			model.addAttribute("key", key);
 			model.addAttribute("error", e.getMessage());
 			return passwordReset(model, tokenUuid);
+		} catch (TokenExpiredException e) {
+			model.addAttribute("error", e.getMessage());
+			return passwordReset(model, tokenUuid);
 		}
 	}


--- a/src/main/java/org/genesys2/server/servlet/controller/admin/UserProfileController.java
+++ b/src/main/java/org/genesys2/server/servlet/controller/admin/UserProfileController.java
@@ -25,6 +25,7 @@ import org.genesys2.server.model.impl.User;
 import org.genesys2.server.service.EMailVerificationService;
 import org.genesys2.server.service.PasswordPolicy.PasswordPolicyException;
 import org.genesys2.server.service.TeamService;
+import org.genesys2.server.service.TokenVerificationService.TokenExpiredException;
 import org.genesys2.server.service.TokenVerificationService.NoSuchVerificationTokenException;
 import org.genesys2.server.service.UserService;
 import org.genesys2.server.servlet.controller.BaseController;
@@ -116,7 +117,7 @@ public class UserProfileController extends BaseController {
 		try {
 			emailVerificationService.validateEMail(tokenUuid, key);
 			return "redirect:/profile";
-		} catch (final NoSuchVerificationTokenException e) {
+		} catch (final NoSuchVerificationTokenException | TokenExpiredException e) {
 			// Not valid
 			model.addAttribute("tokenUuid", tokenUuid);
 			model.addAttribute("error", "error");
@@ -148,7 +149,7 @@ public class UserProfileController extends BaseController {
 		try {
 			emailVerificationService.changePassword(tokenUuid, key, password);
 			return "redirect:/content/user.password-reset";
-		} catch (final NoSuchVerificationTokenException e) {
+		} catch (final NoSuchVerificationTokenException | TokenExpiredException e) {
 			// Not valid
 			model.addAttribute("tokenUuid", tokenUuid);
 			redirectAttributes.addFlashAttribute("error", e.getMessage());

--- a/src/test/java/org/genesys2/server/mock/service/TokenConsumerService.java
+++ b/src/test/java/org/genesys2/server/mock/service/TokenConsumerService.java
@@ -18,14 +18,15 @@ package org.genesys2.server.mock.service;

 import org.genesys2.server.model.impl.VerificationToken;
 import org.genesys2.server.service.TokenVerificationService.NoSuchVerificationTokenException;
+import org.genesys2.server.service.TokenVerificationService.TokenExpiredException;

 public interface TokenConsumerService {

-	void noExceptions(VerificationToken token) throws NoSuchVerificationTokenException;
+	void noExceptions(VerificationToken token) throws NoSuchVerificationTokenException, TokenExpiredException;

-	void throwRuntimeException(VerificationToken token) throws NoSuchVerificationTokenException;
+	void throwRuntimeException(VerificationToken token) throws NoSuchVerificationTokenException, TokenExpiredException;

-	void noToken() throws NoSuchVerificationTokenException;
+	void noToken() throws NoSuchVerificationTokenException, TokenExpiredException;

 	void throwException(VerificationToken token) throws Exception;


--- a/src/test/java/org/genesys2/server/mock/service/TokenConsumerServiceImpl.java
+++ b/src/test/java/org/genesys2/server/mock/service/TokenConsumerServiceImpl.java
@@ -19,6 +19,7 @@ package org.genesys2.server.mock.service;
 import org.genesys2.server.model.impl.VerificationToken;
 import org.genesys2.server.service.TokenVerificationService;
 import org.genesys2.server.service.TokenVerificationService.NoSuchVerificationTokenException;
+import org.genesys2.server.service.TokenVerificationService.TokenExpiredException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@@ -38,7 +39,7 @@ public class TokenConsumerServiceImpl implements TokenConsumerService {

 	@Override
 	@Transactional
-	public void throwRuntimeException(VerificationToken token) throws NoSuchVerificationTokenException {
+	public void throwRuntimeException(VerificationToken token) throws NoSuchVerificationTokenException, TokenExpiredException {
 		tokenVerificationService.consumeToken(token.getPurpose(), token.getUuid(), token.getKey());
 		throw new RuntimeException();
 	}
@@ -52,13 +53,13 @@ public class TokenConsumerServiceImpl implements TokenConsumerService {

 	@Override
 	@Transactional
-	public void noExceptions(VerificationToken token) throws NoSuchVerificationTokenException {
+	public void noExceptions(VerificationToken token) throws NoSuchVerificationTokenException, TokenExpiredException {
 		tokenVerificationService.consumeToken(token.getPurpose(), token.getUuid(), token.getKey());
 	}

 	@Override
 	@Transactional
-	public void noToken() throws NoSuchVerificationTokenException {
+	public void noToken() throws NoSuchVerificationTokenException, TokenExpiredException {
 		tokenVerificationService.consumeToken("nopurpose", "no-such-uuid", "wrongkey");
 		throw new RuntimeException("Should not get here");
 	}

--- a/src/test/java/org/genesys2/server/test/TokenVerificationServiceTest.java
+++ b/src/test/java/org/genesys2/server/test/TokenVerificationServiceTest.java
@@ -22,8 +22,10 @@ import static org.junit.Assert.fail;
 import org.genesys2.server.mock.service.TokenConsumerService;
 import org.genesys2.server.mock.service.TokenConsumerServiceImpl;
 import org.genesys2.server.model.impl.VerificationToken;
+import org.genesys2.server.persistence.domain.VerificationTokenRepository;
 import org.genesys2.server.service.TokenVerificationService;
 import org.genesys2.server.service.TokenVerificationService.NoSuchVerificationTokenException;
+import org.genesys2.server.service.TokenVerificationService.TokenExpiredException;
 import org.genesys2.server.service.impl.TokenVerificationServiceImpl;
 import org.junit.Ignore;
 import org.junit.Test;
@@ -34,6 +36,8 @@ import org.springframework.context.annotation.ComponentScan;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;

+import java.util.Calendar;
+
 /**
 * Tests for {@link TokenVerificationServiceImpl}
 *
@@ -59,6 +63,9 @@ public class TokenVerificationServiceTest {

 	}

+	@Autowired
+	private VerificationTokenRepository tokenRepository;
+
 	@Autowired
 	private TokenVerificationService tokenVerificationService;

@@ -66,12 +73,12 @@ public class TokenVerificationServiceTest {
 	private TokenConsumerService tokenConsumerService;

 	@Test(expected = NoSuchVerificationTokenException.class)
-	public void consumeException() throws NoSuchVerificationTokenException {
+	public void consumeException() throws NoSuchVerificationTokenException, TokenExpiredException {
 		tokenVerificationService.consumeToken("purpose1", "no-such-uuid", "wrongkey");
 	}

 	@Test(expected = NoSuchVerificationTokenException.class)
-	public void testGenerateAndFail() throws NoSuchVerificationTokenException {
+	public void testGenerateAndFail() throws NoSuchVerificationTokenException, TokenExpiredException {
 		final VerificationToken t = tokenVerificationService.generateToken("purpose1", null);
 		assertTrue("ID should be assigned", t.getId() != null);
 		assertTrue("UUID should be assigned", t.getUuid() != null);
@@ -90,7 +97,7 @@ public class TokenVerificationServiceTest {
 		try {
 			tokenVerificationService.consumeToken("purpose1", t.getUuid(), "wrongkey");
 			fail("Exception not thrown");
-		} catch (final NoSuchVerificationTokenException e) {
+		} catch (final NoSuchVerificationTokenException | TokenExpiredException e) {

 		}

@@ -99,12 +106,14 @@ public class TokenVerificationServiceTest {
 			assertTrue("Token not consumed", ct != null);
 		} catch (final NoSuchVerificationTokenException e) {
 			fail("Token not found");
+		} catch (final TokenExpiredException e) {
+			fail("Token has expired");
 		}

 		try {
 			tokenVerificationService.consumeToken("purpose1", t.getUuid(), t.getKey());
 			fail("Token still found");
-		} catch (final NoSuchVerificationTokenException e) {
+		} catch (final NoSuchVerificationTokenException | TokenExpiredException e) {

 		}
 	}
@@ -145,12 +154,14 @@ public class TokenVerificationServiceTest {
 			tokenConsumerService.noExceptions(t);
 		} catch (final NoSuchVerificationTokenException e) {
 			fail("Token not found");
+		} catch (TokenExpiredException e) {
+			fail("Token has expired");
 		}

 		try {
 			tokenVerificationService.consumeToken(t.getPurpose(), t.getUuid(), t.getKey());
 			fail("Token should not be available");
-		} catch (final NoSuchVerificationTokenException e) {
+		} catch (final NoSuchVerificationTokenException | TokenExpiredException e) {
 		}
 	}

@@ -163,13 +174,15 @@ public class TokenVerificationServiceTest {
 			fail("RuntimeException expected");
 		} catch (final NoSuchVerificationTokenException e) {
 			fail("Token not found");
+		} catch (TokenExpiredException e) {
+			fail("Token has expired");
 		} catch (final RuntimeException e) {
 			// ok
 		}

 		try {
 			tokenVerificationService.consumeToken(t.getPurpose(), t.getUuid(), t.getKey());
-		} catch (final NoSuchVerificationTokenException e) {
+		} catch (final NoSuchVerificationTokenException | TokenExpiredException e) {
 			fail("Token should still be available");
 		}
 	}
@@ -187,7 +200,7 @@ public class TokenVerificationServiceTest {

 		try {
 			tokenVerificationService.consumeToken(t.getPurpose(), t.getUuid(), t.getKey());
-		} catch (final NoSuchVerificationTokenException e) {
+		} catch (final NoSuchVerificationTokenException | TokenExpiredException e) {
 			fail("Token should still be available");
 		}
 	}
@@ -197,8 +210,23 @@ public class TokenVerificationServiceTest {
 		try {
 			tokenConsumerService.noToken();
 			fail("Token should not be found");
-		} catch (final NoSuchVerificationTokenException e) {
+		} catch (final NoSuchVerificationTokenException | TokenExpiredException e) {

 		}
 	}
+
+	@Test(expected = TokenExpiredException.class)
+	public void verificationTokenExpiredTest() throws TokenExpiredException, NoSuchVerificationTokenException {
+		VerificationToken token = tokenVerificationService.generateToken("purpose1", null);
+		assertTrue("ID should be assigned", token.getId() != null);
+		assertTrue("UUID should be assigned", token.getUuid() != null);
+		assertTrue("Data should be null", token.getData() == null);
+
+		Calendar calendar = Calendar.getInstance();
+		calendar.add(Calendar.HOUR_OF_DAY, -1);
+		token.setValidUntil(calendar.getTime());
+		token = tokenRepository.save(token);
+
+		tokenVerificationService.consumeToken(token.getPurpose(), token.getUuid(), token.getKey());
+	}
 }
--- a/src/test/java/org/genesys2/tests/unit/EmailVerificationServiceTest.java
+++ b/src/test/java/org/genesys2/tests/unit/EmailVerificationServiceTest.java
@@ -33,6 +33,8 @@ import org.genesys2.server.security.AuthUserDetails;
 import org.genesys2.server.service.ContentService;
 import org.genesys2.server.service.PasswordPolicy.PasswordPolicyException;
 import org.genesys2.server.service.TokenVerificationService;
+import org.genesys2.server.service.TokenVerificationService.NoSuchVerificationTokenException;
+import org.genesys2.server.service.TokenVerificationService.TokenExpiredException;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Ignore;
@@ -187,7 +189,7 @@ public class EmailVerificationServiceTest extends AbstractServicesTest {

 			assertTrue(verificationTokenRepository.findAll().isEmpty());

-		} catch (TokenVerificationService.NoSuchVerificationTokenException e) {
+		} catch (NoSuchVerificationTokenException | TokenExpiredException e) {
 			e.printStackTrace();
 		}

@@ -210,7 +212,7 @@ public class EmailVerificationServiceTest extends AbstractServicesTest {
 			emailVerificationService.changePassword(verificationToken.getUuid(), verificationToken.getKey(), "1341@#!$!@#!new password for user");

 			assertTrue(userService.listUsers(new PageRequest(0, 1)).getContent().get(0).getPassword().equals("new password for user"));
-		} catch (TokenVerificationService.NoSuchVerificationTokenException e) {
+		} catch (NoSuchVerificationTokenException | TokenExpiredException e) {
 			e.printStackTrace();
 		}
 		LOG.info("Test changePasswordTest passed!");

--- a/src/test/java/org/genesys2/tests/unit/TokenVerificationServiceTest.java
+++ b/src/test/java/org/genesys2/tests/unit/TokenVerificationServiceTest.java
@@ -23,10 +23,14 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.genesys2.server.model.impl.VerificationToken;
 import org.genesys2.server.service.TokenVerificationService;
+import org.genesys2.server.service.TokenVerificationService.NoSuchVerificationTokenException;
+import org.genesys2.server.service.TokenVerificationService.TokenExpiredException;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;

+import java.util.Calendar;
+
 public class TokenVerificationServiceTest extends AbstractServicesTest {

 	private static final Log LOG = LogFactory.getLog(TokenVerificationServiceTest.class);
@@ -114,11 +118,37 @@ public class TokenVerificationServiceTest extends AbstractServicesTest {
 			assertTrue(token != null);
 			assertTrue(!isAnyTokensExists());

-		} catch (TokenVerificationService.NoSuchVerificationTokenException e) {
+		} catch (NoSuchVerificationTokenException | TokenExpiredException e) {
 			fail(e.getMessage());
 		}

 		LOG.info("Test consumeTokenTest passed!");
 	}

+	@Test
+	public void removeExpiredTest() {
+		LOG.info("Start test-method removeExpiredTest");
+