Revoke previously issued tokens on duplicate request
This commit is contained in:
theworldbright
parent
b3b9b39690
commit
da766d8e8b
4 changed files with 12 additions and 7 deletions
|
|
@ -63,10 +63,15 @@ module Api
|
||||||
|
|
||||||
def self.use_code(code)
|
def self.use_code(code)
|
||||||
return unless code
|
return unless code
|
||||||
find_by(code: code).tap do |auth|
|
auth = find_by(code: code)
|
||||||
next unless auth
|
return unless auth
|
||||||
auth.code = nil
|
if auth.code_used
|
||||||
|
auth.destroy
|
||||||
|
nil
|
||||||
|
else
|
||||||
|
auth.code_used = true
|
||||||
auth.save
|
auth.save
|
||||||
|
auth
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ class CreateAuthorizations < ActiveRecord::Migration
|
||||||
t.string :redirect_uri
|
t.string :redirect_uri
|
||||||
t.string :nonce
|
t.string :nonce
|
||||||
t.string :scopes
|
t.string :scopes
|
||||||
|
t.boolean :code_used, default: false
|
||||||
|
|
||||||
t.timestamps null: false
|
t.timestamps null: false
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -63,8 +63,9 @@ ActiveRecord::Schema.define(version: 20150828132451) do
|
||||||
t.string "redirect_uri", limit: 255
|
t.string "redirect_uri", limit: 255
|
||||||
t.string "nonce", limit: 255
|
t.string "nonce", limit: 255
|
||||||
t.string "scopes", limit: 255
|
t.string "scopes", limit: 255
|
||||||
t.datetime "created_at", null: false
|
t.boolean "code_used", default: false
|
||||||
t.datetime "updated_at", null: false
|
t.datetime "created_at", null: false
|
||||||
|
t.datetime "updated_at", null: false
|
||||||
end
|
end
|
||||||
|
|
||||||
add_index "authorizations", ["o_auth_application_id"], name: "index_authorizations_on_o_auth_application_id", using: :btree
|
add_index "authorizations", ["o_auth_application_id"], name: "index_authorizations_on_o_auth_application_id", using: :btree
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,6 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
|
||||||
|
|
||||||
it "should not allow code to be reused" do
|
it "should not allow code to be reused" do
|
||||||
auth.reload
|
auth.reload
|
||||||
expect(auth.code).to eq(nil)
|
|
||||||
post api_openid_connect_access_tokens_path, grant_type: "authorization_code",
|
post api_openid_connect_access_tokens_path, grant_type: "authorization_code",
|
||||||
client_id: client.client_id, client_secret: client.client_secret,
|
client_id: client.client_id, client_secret: client.client_secret,
|
||||||
redirect_uri: "http://localhost:3000/", code: code
|
redirect_uri: "http://localhost:3000/", code: code
|
||||||
|
|
@ -93,7 +92,6 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
|
||||||
|
|
||||||
it "should not allow code to be reused" do
|
it "should not allow code to be reused" do
|
||||||
auth_with_specific_id.reload
|
auth_with_specific_id.reload
|
||||||
expect(auth_with_specific_id.code).to eq(nil)
|
|
||||||
post api_openid_connect_access_tokens_path, grant_type: "authorization_code",
|
post api_openid_connect_access_tokens_path, grant_type: "authorization_code",
|
||||||
client_id: client.client_id, client_secret: client.client_secret,
|
client_id: client.client_id, client_secret: client.client_secret,
|
||||||
redirect_uri: "http://localhost:3000/", code: code_with_specific_id
|
redirect_uri: "http://localhost:3000/", code: code_with_specific_id
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue