matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-11-21 23:00:50 +03:00
Code Activity

storage: cleanup access/refresh token lookups

Browse Source
This commit is contained in:
Quentin Gliech
2023-01-11 12:14:52 +01:00
parent 920869b583
commit 9f0c9f1466
9 changed files with 452 additions and 263 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
crates/handlers/src/oauth2/token.rs
View File

@@ -33,9 +33,9 @@ use mas_keystore::{Encrypter, Keystore};
use mas_router::UrlBuilder;
use mas_storage::{
oauth2::{
access_token::{add_access_token, revoke_access_token},
access_token::{add_access_token, lookup_access_token, revoke_access_token},
authorization_grant::{exchange_grant, lookup_grant_by_code},
refresh_token::{add_refresh_token, consume_refresh_token, lookup_active_refresh_token},
refresh_token::{add_refresh_token, consume_refresh_token, lookup_refresh_token},
OAuth2SessionRepository,
},
user::BrowserSessionRepository,
@@ -374,10 +374,20 @@ async fn refresh_token_grant(
) -> Result<AccessTokenResponse, RouteError> {
let (clock, mut rng) = crate::clock_and_rng();
let (refresh_token, session) = lookup_active_refresh_token(&mut txn, &grant.refresh_token)
let refresh_token = lookup_refresh_token(&mut txn, &grant.refresh_token)
.await?
.ok_or(RouteError::InvalidGrant)?;
let session = txn
.oauth2_session()
.lookup(refresh_token.session_id)
.await?
.ok_or(RouteError::NoSuchOAuthSession)?;
if !refresh_token.is_valid() || !session.is_valid() {
return Err(RouteError::InvalidGrant);
}
if client.id != session.client_id {
// As per https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
return Err(RouteError::InvalidGrant);
@@ -407,10 +417,12 @@ async fn refresh_token_grant(
)
.await?;
consume_refresh_token(&mut txn, &clock, &refresh_token).await?;
let refresh_token = consume_refresh_token(&mut txn, &clock, refresh_token).await?;
if let Some(access_token_id) = refresh_token.access_token_id {
revoke_access_token(&mut txn, &clock, access_token_id).await?;
if let Some(access_token) = lookup_access_token(&mut txn, access_token_id).await? {
revoke_access_token(&mut txn, &clock, access_token).await?;
}
}
let params = AccessTokenResponse::new(access_token_str)