1
0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-29 22:01:14 +03:00

Check that an OAuth session is valid before revoking it

This commit is contained in:
Quentin Gliech
2023-03-02 16:04:31 +01:00
parent 34f0ec4d89
commit a79b4060d4

View File

@ -185,13 +185,18 @@ pub(crate) async fn post(
.await?
.ok_or(RouteError::UnknownToken)?;
// Check that the session is still valid.
if !session.is_valid() {
return Err(RouteError::UnknownToken);
}
// Check that the client ending the session is the same as the client that
// created it.
if client.id != session.client_id {
return Err(RouteError::UnauthorizedClient);
}
// Now that we checked eveyrthing, we can end the session.
// Now that we checked everything, we can end the session.
repo.oauth2_session().finish(&clock, session).await?;
repo.save().await?;
@ -308,6 +313,17 @@ mod tests {
// Check that the token is no longer valid
assert!(!state.is_access_token_valid(&access_token).await);
// Revoking a second time shouldn't fail
let request = Request::post(mas_router::OAuth2Revocation::PATH).form(serde_json::json!({
"token": access_token,
"token_type_hint": "access_token",
"client_id": client_id,
"client_secret": client_secret,
}));
let response = state.request(request).await;
response.assert_status(StatusCode::OK);
// Try using the refresh token to get a new access token, it should fail.
let request =
Request::post(mas_router::OAuth2TokenEndpoint::PATH).form(serde_json::json!({