Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for expired refresh tokens to be revoked #1744

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Allow for expired refresh tokens to be revoked #1744

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3df99ca
Allow for expired refresh tokens to be revoked
ransombriggs Oct 30, 2024
07861c6
Updating CHANGELOG.md
ransombriggs Oct 30, 2024
a009e88
Try to fix revoke_token cognitive complexity
ransombriggs Oct 31, 2024
9f3b7d1
Merge branch 'main' into allow-refresh-tokens-to-be-revoked-after-expire
ransombriggs Oct 31, 2024
5dd6454
Move revoke logic out into classes
ransombriggs Nov 8, 2024
1503e70
Merge branch 'main' into allow-refresh-tokens-to-be-revoked-after-expire
ransombriggs Nov 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ User-visible changes worth mentioning.

Add your entry here.

- [#1744] Allow for expired refresh tokens to be revoked
- [#1747] Fix unknown pkce method error when configured

## 5.8.0
Expand Down
29 changes: 24 additions & 5 deletions app/controllers/doorkeeper/tokens_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,19 +113,38 @@ def revoke_token
# The authorization server responds with HTTP status code 200 if the token
# has been revoked successfully or if the client submitted an invalid
# token
token.revoke if token&.accessible?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have already checked token.blank? by the time we call this so the &. felt unnecessary, but I can bring it back.

revocable_token.revoke if revocable_token.revocable?
end

def token
@token ||=
revocable_token&.token
end

def revocable_token
return @revocable_token if defined? @revocable_token

@revocable_token =
if params[:token_type_hint] == "refresh_token"
Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
refresh_token
else
Doorkeeper.config.access_token_model.by_token(params["token"]) ||
Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
access_token || refresh_token
end
end

def refresh_token
token = Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
return unless token

RevocableTokens::RevocableRefreshToken.new(token)
end

def access_token
token = Doorkeeper.config.access_token_model.by_token(params["token"])
return unless token

RevocableTokens::RevocableAccessToken.new(token)
end

def strategy
@strategy ||= server.token_request(params[:grant_type])
end
Expand Down
5 changes: 5 additions & 0 deletions lib/doorkeeper.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,11 @@ module Request
autoload :Token, "doorkeeper/request/token"
end

module RevocableTokens
autoload :RevocableAccessToken, "doorkeeper/revocable_tokens/revocable_access_token"
autoload :RevocableRefreshToken, "doorkeeper/revocable_tokens/revocable_refresh_token"
end

module OAuth
autoload :BaseRequest, "doorkeeper/oauth/base_request"
autoload :AuthorizationCodeRequest, "doorkeeper/oauth/authorization_code_request"
Expand Down
21 changes: 21 additions & 0 deletions lib/doorkeeper/revocable_tokens/revocable_access_token.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# frozen_string_literal: true

module Doorkeeper
module RevocableTokens
class RevocableAccessToken
attr_reader :token

def initialize(token)
@token = token
end

def revocable?
token.accessible?
end

def revoke
token.revoke
end
end
end
end
21 changes: 21 additions & 0 deletions lib/doorkeeper/revocable_tokens/revocable_refresh_token.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# frozen_string_literal: true

module Doorkeeper
module RevocableTokens
class RevocableRefreshToken
attr_reader :token

def initialize(token)
@token = token
end

def revocable?
!token.revoked?
end

def revoke
token.revoke
end
end
end
end
95 changes: 92 additions & 3 deletions spec/controllers/tokens_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,15 @@
# https://datatracker.ietf.org/doc/html/rfc7009#section-2.2
describe "POST #revoke" do
let(:client) { FactoryBot.create(:application) }
let(:access_token) { FactoryBot.create(:access_token, application: client) }
let(:revoked_at) { nil }
let(:access_token) do
FactoryBot.create(
:access_token,
application: client,
revoked_at: revoked_at,
use_refresh_token: true
)
end

context "when associated app is public" do
let(:client) { FactoryBot.create(:application, confidential: false) }
Expand All @@ -183,8 +191,89 @@
expect(response.status).to eq 200
end

it "revokes the access token" do
post :revoke, params: { client_id: client.uid, token: access_token.token }
it "does not revoke the access token when token_type_hint == refresh_token" do
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The token method was not fully tested so added some specs before I made my changes.

post :revoke, params: {
client_id: client.uid,
token: access_token.token,
token_type_hint: "refresh_token",
}

expect(response.status).to eq 200

expect(access_token.reload).to have_attributes(revoked?: false)
end

it "revokes the refresh token when token_type_hint == refresh_token" do
post :revoke, params: {
client_id: client.uid,
token: access_token.refresh_token,
token_type_hint: "refresh_token",
}

expect(response.status).to eq 200

expect(access_token.reload).to have_attributes(revoked?: true)
end

it "revokes the refresh token when token_type_hint not passed" do
post :revoke, params: {
client_id: client.uid,
token: access_token.refresh_token,
}

expect(response.status).to eq 200

expect(access_token.reload).to have_attributes(revoked?: true)
end

context "when access_token has already been revoked" do
let(:revoked_at) { 1.day.ago.floor }

it "does not update the revoked_at when the access token has already been revoked" do
post :revoke, params: {
client_id: client.uid,
token: access_token.token,
}

expect(response.status).to eq 200

expect(access_token.reload).to have_attributes(revoked_at: revoked_at)
end

it "does not update the revoked_at when the refresh token has already been revoked" do
post :revoke, params: {
client_id: client.uid,
token: access_token.refresh_token,
}

expect(response.status).to eq 200

expect(access_token.reload).to have_attributes(revoked_at: revoked_at)
end
end

it "does not revoke when the access token has expired" do
access_token.update!(created_at: access_token.created_at - access_token.expires_in - 1)

post :revoke, params: {
client_id: client.uid,
token: access_token.token,
}

expect(response.status).to eq 200

expect(access_token.reload).to have_attributes(revoked?: false)
end

it "revokes the refresh token after the access token has expired" do
access_token.update!(created_at: access_token.created_at - access_token.expires_in - 1)

post :revoke, params: {
client_id: client.uid,
token: access_token.refresh_token,
}

expect(response.status).to eq 200

expect(access_token.reload).to have_attributes(revoked?: true)
end
Expand Down