Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revoke Refresh Token on access token use #578

Closed
wants to merge 1 commit into from
Closed

Revoke Refresh Token on access token use #578

wants to merge 1 commit into from

Conversation

rsharrott
Copy link

This PR allows refresh tokens to not either revoke at some point in the future (if you want to allow some wiggle room for network failures, etc) set refresh_token_revoked_in to some number of seconds in the future.

Also allows for refresh tokens to not be revoked until an access token created with that refresh token is successfully used once. Set refresh_token_revoked_on_use to true.

Both are off by default.

I made this work with ActiveRecord and it is passing test but no work was done for Mongoid.

houndci-bot
houndci-bot reviewed Feb 12, 2015
View reviewed changes
lib/doorkeeper/models/concerns/revocable.rb
def revoke_previous_refresh_token!
return if previous_refresh_token.nil?
old_refresh_token = AccessToken.by_refresh_token(previous_refresh_token)
old_refresh_token = nil if old_refresh_token.nil? or old_refresh_token.revoked?
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line is too long. [87/80]
Use || instead of or.

@rsharrott rsharrott mentioned this pull request Feb 12, 2015
Closed
@tute
Copy link
Contributor

tute commented Feb 12, 2015

Thanks @rsharrott! We'll need some massaging of code and git history. Regarding the commit message (and history rewriting, in general), you can always force push the branch after doing this. This will include the discussion from the PR in sync with what you are updating, which is nice, no need to open new PRs.

Your PR title and description are good, the commit message should be similar! We could amend the commit to something along the following lines:

Refresh Token revocation adjustments

This change allows refresh tokens to be revoke at some point in the future (for if you want to allow room for network failures for example). The option refresh_token_revoked_in can be set to a number of seconds in the future.

The change allows a refresh tokens to not be revoked until an access token is successfully created through it. The option refresh_token_revoked_on_use can be set to true for this behavior to take effect.

Both options are off by default.

Will do a code review later. In general, taking into account @houndci comments is a 👍.

Thanks for your good work!

tute
tute reviewed Feb 12, 2015
View reviewed changes
lib/doorkeeper/models/concerns/revocable.rb
end
end
update_attribute :previous_refresh_token, nil
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested rewrite of this method:

def revoke_previous_refresh_token!
  old_refresh_token = AccessToken.by_refresh_token(previous_refresh_token)
  if old_refresh_token && !old_refresh_token.revoked?
    if configuration.refresh_token_revoked_in
      old_refresh_token.revoke
    else
      old_refresh_token.revoke_in(configuration.refresh_token_revoked_in)
    end
  end
  update_attributes(previous_refresh_token: nil)
end

def configuration
  Doorkeeper.configuration
end

@francesle francesle mentioned this pull request Feb 16, 2015
Merged
@tute
Copy link
Contributor

tute commented Feb 20, 2015

ping @rsharrott

@tute
Copy link
Contributor

tute commented Mar 12, 2015

ping @rsharrott?

@tute
Copy link
Contributor

tute commented Mar 27, 2015

Thanks for your early work @rsharrott, let's not let it get stale!

I'll close it for now for lack of activity, but I'll be happy to reopen for working on it again.

@tute tute closed this Mar 27, 2015
@zetavg zetavg mentioned this pull request Jul 9, 2015
Closed
@pmdeazeta pmdeazeta mentioned this pull request Jul 13, 2015
Closed
@mt-max mt-max deleted the feature/revoke-on-use branch November 18, 2021 02:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rsharrott @tute @houndci-bot