You've already forked authentication-service
mirror of
https://github.com/matrix-org/matrix-authentication-service.git
synced 2025-07-29 22:01:14 +03:00
Check that an OAuth session is valid before revoking it
This commit is contained in:
@ -185,13 +185,18 @@ pub(crate) async fn post(
|
||||
.await?
|
||||
.ok_or(RouteError::UnknownToken)?;
|
||||
|
||||
// Check that the session is still valid.
|
||||
if !session.is_valid() {
|
||||
return Err(RouteError::UnknownToken);
|
||||
}
|
||||
|
||||
// Check that the client ending the session is the same as the client that
|
||||
// created it.
|
||||
if client.id != session.client_id {
|
||||
return Err(RouteError::UnauthorizedClient);
|
||||
}
|
||||
|
||||
// Now that we checked eveyrthing, we can end the session.
|
||||
// Now that we checked everything, we can end the session.
|
||||
repo.oauth2_session().finish(&clock, session).await?;
|
||||
|
||||
repo.save().await?;
|
||||
@ -308,6 +313,17 @@ mod tests {
|
||||
// Check that the token is no longer valid
|
||||
assert!(!state.is_access_token_valid(&access_token).await);
|
||||
|
||||
// Revoking a second time shouldn't fail
|
||||
let request = Request::post(mas_router::OAuth2Revocation::PATH).form(serde_json::json!({
|
||||
"token": access_token,
|
||||
"token_type_hint": "access_token",
|
||||
"client_id": client_id,
|
||||
"client_secret": client_secret,
|
||||
}));
|
||||
|
||||
let response = state.request(request).await;
|
||||
response.assert_status(StatusCode::OK);
|
||||
|
||||
// Try using the refresh token to get a new access token, it should fail.
|
||||
let request =
|
||||
Request::post(mas_router::OAuth2TokenEndpoint::PATH).form(serde_json::json!({
|
||||
|
Reference in New Issue
Block a user