From a79b4060d403865bd242fbf17ed2c13ac43be2ae Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Thu, 2 Mar 2023 16:04:31 +0100 Subject: [PATCH] Check that an OAuth session is valid before revoking it --- crates/handlers/src/oauth2/revoke.rs | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/crates/handlers/src/oauth2/revoke.rs b/crates/handlers/src/oauth2/revoke.rs index d9a6748e..81ce49f0 100644 --- a/crates/handlers/src/oauth2/revoke.rs +++ b/crates/handlers/src/oauth2/revoke.rs @@ -185,13 +185,18 @@ pub(crate) async fn post( .await? .ok_or(RouteError::UnknownToken)?; + // Check that the session is still valid. + if !session.is_valid() { + return Err(RouteError::UnknownToken); + } + // Check that the client ending the session is the same as the client that // created it. if client.id != session.client_id { return Err(RouteError::UnauthorizedClient); } - // Now that we checked eveyrthing, we can end the session. + // Now that we checked everything, we can end the session. repo.oauth2_session().finish(&clock, session).await?; repo.save().await?; @@ -308,6 +313,17 @@ mod tests { // Check that the token is no longer valid assert!(!state.is_access_token_valid(&access_token).await); + // Revoking a second time shouldn't fail + let request = Request::post(mas_router::OAuth2Revocation::PATH).form(serde_json::json!({ + "token": access_token, + "token_type_hint": "access_token", + "client_id": client_id, + "client_secret": client_secret, + })); + + let response = state.request(request).await; + response.assert_status(StatusCode::OK); + // Try using the refresh token to get a new access token, it should fail. let request = Request::post(mas_router::OAuth2TokenEndpoint::PATH).form(serde_json::json!({