Revoke OAuth session on code reuse

2025-07-29 22:01:14 +03:00 · 2022-01-14 13:20:14 +01:00
parent f876d6a134
commit 571f484894
6 changed files with 78 additions and 7 deletions
--- a/crates/storage/migrations/20220114112012_oauth_session_end.down.sql
+++ b/crates/storage/migrations/20220114112012_oauth_session_end.down.sql
@ -0,0 +1,16 @@
+-- Copyright 2021 The Matrix.org Foundation C.I.C.
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+ALTER TABLE oauth2_sessions
+  DROP COLUMN "ended_at";
--- a/crates/storage/migrations/20220114112012_oauth_session_end.up.sql
+++ b/crates/storage/migrations/20220114112012_oauth_session_end.up.sql
@ -0,0 +1,16 @@
+-- Copyright 2021 The Matrix.org Foundation C.I.C.
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+ALTER TABLE oauth2_sessions
+  ADD COLUMN "ended_at" TIMESTAMP WITH TIME ZONE DEFAULT NULL;
--- a/crates/storage/src/oauth2/access_token.rs
+++ b/crates/storage/src/oauth2/access_token.rs
@ -125,6 +125,7 @@ pub async fn lookup_active_access_token(
            WHERE at.token = $1
              AND at.created_at + (at.expires_after * INTERVAL '1 second') >= now()
              AND us.active
+              AND os.ended_at IS NULL

            ORDER BY usa.created_at DESC
            LIMIT 1
--- a/crates/storage/src/oauth2/mod.rs
+++ b/crates/storage/src/oauth2/mod.rs
@ -12,6 +12,31 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

+use mas_data_model::Session;
+use sqlx::PgExecutor;
+
+use crate::PostgresqlBackend;
+
 pub mod access_token;
 pub mod authorization_grant;
 pub mod refresh_token;
+
+pub async fn end_oauth_session(
+    executor: impl PgExecutor<'_>,
+    session: Session<PostgresqlBackend>,
+) -> anyhow::Result<()> {
+    let res = sqlx::query!(
+        r#"
+            UPDATE oauth2_sessions
+            SET ended_at = NOW()
+            WHERE id = $1
+        "#,
+        session.data,
+    )
+    .execute(executor)
+    .await?;
+
+    anyhow::ensure!(res.rows_affected() == 1);
+
+    Ok(())
+}
--- a/crates/storage/src/oauth2/refresh_token.rs
+++ b/crates/storage/src/oauth2/refresh_token.rs
@ -112,6 +112,7 @@ pub async fn lookup_active_refresh_token(
            WHERE rt.token = $1
              AND rt.next_token_id IS NULL
              AND us.active
+              AND os.ended_at IS NULL

            ORDER BY usa.created_at DESC
            LIMIT 1