fix(#638): concurrency issue on new token from refresh token

(cherry picked from commit 199e818)
jazzband · Oct 2, 2018 · f47483e · f47483e
1 parent 1157361
commit f47483e
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -489,6 +489,12 @@ def save_bearer_token(self, token, request, *args, **kwargs):
             else:
                 # revoke existing tokens if possible to allow reuse of grant
                 if isinstance(refresh_token_instance, RefreshToken):
+                    # First, to ensure we don't have concurrency issues, we refresh the refresth token
+                    # from the db while acquiring a lock on it
+                    refresh_token_instance = RefreshToken.objects.select_for_update().get(
+                        id=refresh_token_instance.id
+                    )
+
                     previous_access_token = AccessToken.objects.filter(
                         source_refresh_token=refresh_token_instance
                     ).first()