From ba2d54293836d0f9796a002ef27a82d93169539e Mon Sep 17 00:00:00 2001
From: Blake Wilson <blake.wilson@wpengine.com>
Date: Sat, 25 Sep 2021 23:57:16 -0500
Subject: [PATCH] fix: (#503) remove refresh token logic

Remove the existing refresh token upon an unauthorized response from the fetch token endpoint
---
 packages/core/src/auth/server/middleware.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/packages/core/src/auth/server/middleware.ts b/packages/core/src/auth/server/middleware.ts
index a8b700e9f..c13cdbafb 100644
--- a/packages/core/src/auth/server/middleware.ts
+++ b/packages/core/src/auth/server/middleware.ts
@@ -61,6 +61,9 @@ export async function authorizeHandler(
         res.statusCode = result.response.status;
       } else {
         res.statusCode = 401;
+
+        // If the response to the token endpoint is unauthorized, remove the existing refresh token.
+        oauth.setRefreshToken(undefined);
       }
 
       res.end(JSON.stringify(result.result));