Revoke OAuth session on code reuse

crates/storage/src/oauth2/access_token.rs

@@ -125,6 +125,7 @@ pub async fn lookup_active_access_token(
             WHERE at.token = $1
               AND at.created_at + (at.expires_after * INTERVAL '1 second') >= now()
               AND us.active
+              AND os.ended_at IS NULL
 
             ORDER BY usa.created_at DESC
             LIMIT 1

crates/storage/src/oauth2/mod.rs

@@ -12,6 +12,31 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+use mas_data_model::Session;
+use sqlx::PgExecutor;
+
+use crate::PostgresqlBackend;
+
 pub mod access_token;
 pub mod authorization_grant;
 pub mod refresh_token;
+
+pub async fn end_oauth_session(
+    executor: impl PgExecutor<'_>,
+    session: Session<PostgresqlBackend>,
+) -> anyhow::Result<()> {
+    let res = sqlx::query!(
+        r#"
+            UPDATE oauth2_sessions
+            SET ended_at = NOW()
+            WHERE id = $1
+        "#,
+        session.data,
+    )
+    .execute(executor)
+    .await?;
+
+    anyhow::ensure!(res.rows_affected() == 1);
+
+    Ok(())
+}

crates/storage/src/oauth2/refresh_token.rs

@@ -112,6 +112,7 @@ pub async fn lookup_active_refresh_token(
             WHERE rt.token = $1
               AND rt.next_token_id IS NULL
               AND us.active
+              AND os.ended_at IS NULL
 
             ORDER BY usa.created_at DESC
             LIMIT 1