From 281b46c250ab9d0e565490bbd75728cf4b9dad0c Mon Sep 17 00:00:00 2001
From: Phillip Baker <phillbaker@retrodict.com>
Date: Thu, 15 Feb 2018 22:21:22 -0500
Subject: [PATCH] Prevent racecondition on consuming refresh token.

---
 oauth2_provider/models.py | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/oauth2_provider/models.py b/oauth2_provider/models.py
index 6836fe35f..07a6bdfcb 100644
--- a/oauth2_provider/models.py
+++ b/oauth2_provider/models.py
@@ -343,10 +343,18 @@ def revoke(self):
         Mark this refresh token revoked and revoke related access token
         """
         access_token_model = get_access_token_model()
-        access_token_model.objects.get(id=self.access_token_id).revoke()
-        self.access_token = None
-        self.revoked = timezone.now()
-        self.save()
+        refresh_token_model = get_refresh_token_model()
+        with transaction.atomic():
+            self = refresh_token_model.objects.filter(
+                pk=self.pk, revoked__isnull=True
+            ).select_for_update().first()
+            if not self:
+                return
+
+            access_token_model.objects.get(id=self.access_token_id).revoke()
+            self.access_token = None
+            self.revoked = timezone.now()
+            self.save()
 
     def __str__(self):
         return self.token