Revoke previously issued tokens on duplicate request

2015-10-03 22:50:13 -07:00 · 2015-10-03 22:50:13 -07:00 · da766d8e8b
commit da766d8e8b
parent b3b9b39690
4 changed files with 12 additions and 7 deletions
--- a/app/models/api/openid_connect/authorization.rb
+++ b/app/models/api/openid_connect/authorization.rb
@ -63,10 +63,15 @@ module Api

      def self.use_code(code)
        return unless code
-        find_by(code: code).tap do |auth|
-          next unless auth
-          auth.code = nil
+        auth = find_by(code: code)
+        return unless auth
+        if auth.code_used
+          auth.destroy
+          nil
+        else
+          auth.code_used = true
          auth.save
+          auth
        end
      end
    end
--- a/db/migrate/20150708153926_create_authorizations.rb
+++ b/db/migrate/20150708153926_create_authorizations.rb
@ -8,6 +8,7 @@ class CreateAuthorizations < ActiveRecord::Migration
      t.string :redirect_uri
      t.string :nonce
      t.string :scopes
+      t.boolean :code_used, default: false

      t.timestamps null: false
    end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -63,8 +63,9 @@ ActiveRecord::Schema.define(version: 20150828132451) do
    t.string   "redirect_uri",          limit: 255
    t.string   "nonce",                 limit: 255
    t.string   "scopes",                limit: 255
-    t.datetime "created_at",                        null: false
-    t.datetime "updated_at",                        null: false
+    t.boolean  "code_used",                         default: false
+    t.datetime "created_at",                                        null: false
+    t.datetime "updated_at",                                        null: false
  end

  add_index "authorizations", ["o_auth_application_id"], name: "index_authorizations_on_o_auth_application_id", using: :btree
--- a/spec/lib/api/openid_connect/token_endpoint_spec.rb
+++ b/spec/lib/api/openid_connect/token_endpoint_spec.rb
@ -48,7 +48,6 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do

      it "should not allow code to be reused" do
        auth.reload
-        expect(auth.code).to eq(nil)
        post api_openid_connect_access_tokens_path, grant_type: "authorization_code",
             client_id: client.client_id, client_secret: client.client_secret,
             redirect_uri: "http://localhost:3000/", code: code
@ -93,7 +92,6 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do

      it "should not allow code to be reused" do
        auth_with_specific_id.reload
-        expect(auth_with_specific_id.code).to eq(nil)
        post api_openid_connect_access_tokens_path, grant_type: "authorization_code",
             client_id: client.client_id, client_secret: client.client_secret,
             redirect_uri: "http://localhost:3000/", code: code_with_specific_id