Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jw revoke patch #1116

Merged
merged 1 commit into from
Jul 2, 2018
Merged

Jw revoke patch #1116

merged 1 commit into from
Jul 2, 2018

Conversation

id4ho
Copy link
Contributor

@id4ho id4ho commented Jun 29, 2018

Summary

Hey folks,

Someone recently submitted an issue to my team about a security issue surrounding Doorkeeper access grants. Seems small but probably worth fixing.

The issue is that post-revocation of an access token, any access grants outstanding are still valid (until expiration which is default 10 mins). Since this code can be exchanged for an access token it should also be revoked with the other access tokens.

Notes are in the respective commits but to summarize changes:

  • Update specs for AccessToken.revoke_all_for to ensure scope is respected
  • Add AccessGrant.revoke_all_for
  • Add Application.revoke_all_for which in turn calls revoke_all_for on both AccessGrant and AccessToken
  • Call Application.revoke_all_for in AuthorizedApplicationsController#destroy action

@nbulaj
Copy link
Member

nbulaj commented Jul 2, 2018

Hi @jackvnimble . Looks good to me except the method name for Application model. It sounds like "revoke application" and not like "revoke tokens and grants". Could we rename it to something more meaningfull? Also could you please add an entry to NEWS.md and squash all the commits to a single one? Thanks!

@nbulaj nbulaj added this to the 5.0 milestone Jul 2, 2018
@nbulaj nbulaj self-assigned this Jul 2, 2018
@id4ho
Revoke AccessGrants along with AccessTokens
748b03f 
- When revoking authorization for an application, via
  `AuthorizedApplicationsController#destroy` revoke `AccessToken`s
  and `AccessGrant`s
- Update `AccessToken.revoke_all_for` specs to verify scope is respected.
  These specs asserted that `AccessToken.all` wasn't empty but `.all`
  returns tokens that are revoked and therefore the tests weren't
  actually verifying that the `revoke_all_for` method didn't revoke
  `AccessToken`s outside of the intended scope.
@id4ho
Copy link
Contributor Author

id4ho commented Jul 2, 2018
edited
Loading

@nbulaj done. Let me know if you'd like any other changes!

@nbulaj nbulaj merged commit f4472bc into doorkeeper-gem:master Jul 2, 2018
@nbulaj
Copy link
Member

nbulaj commented Jul 2, 2018

Thanks @jackvnimble for your work! 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@nbulaj nbulaj

Labels
enhancement
Projects
None yet
Milestone
5.0
Development

Successfully merging this pull request may close these issues.
2 participants
@id4ho @nbulaj