From aaad74cd6edac536a1df405552256ca66575c8cd Mon Sep 17 00:00:00 2001
From: Blake Wilson <blake.wilson@wpengine.com>
Date: Mon, 27 Sep 2021 11:55:07 -0500
Subject: [PATCH] fix: (#503) remove refresh token logic (#507)

Remove the existing refresh token upon an unauthorized response from the fetch token endpoint
---
 packages/core/src/auth/server/middleware.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/packages/core/src/auth/server/middleware.ts b/packages/core/src/auth/server/middleware.ts
index a8b700e9f..c13cdbafb 100644
--- a/packages/core/src/auth/server/middleware.ts
+++ b/packages/core/src/auth/server/middleware.ts
@@ -61,6 +61,9 @@ export async function authorizeHandler(
         res.statusCode = result.response.status;
       } else {
         res.statusCode = 401;
+
+        // If the response to the token endpoint is unauthorized, remove the existing refresh token.
+        oauth.setRefreshToken(undefined);
       }
 
       res.end(JSON.stringify(result.result));