squeegily/pleroma
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Clear user's session cookie when an OAuth token is revoked

Browse Source
This commit is contained in:
Alex Gleason 2020-10-29 15:51:18 -05:00
parent 6231de27ac
commit e8b436e1af
No known key found for this signature in database
GPG Key ID: 7211D1F99744FBB7
2 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/pleroma/web/o_auth/o_auth_controller.ex
View File

@ -375,7 +375,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do
def token_revoke(%Plug.Conn{} = conn, %{"token" => _token} = params) do
with {:ok, app} <- Token.Utils.fetch_app(conn),
{:ok, _token} <- RevokeToken.revoke(app, params) do
json(conn, %{})
conn
|> Plug.Conn.delete_session(:user_id)
|> json(%{})
else
_error ->
# RFC 7009: invalid tokens [in the request] do not cause an error response

38
test/pleroma/web/o_auth/o_auth_controller_test.exs
View File

@ -1256,6 +1256,44 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
end
end
describe "POST /oauth/revoke" do
test "deletes a token" do
app = insert(:oauth_app, scopes: ["read"])
token = insert(:oauth_token, app: app)
result =
build_conn()
|> post("/oauth/revoke", %{
"client_id" => app.client_id,
"client_secret" => app.client_secret,
"token" => token.token
})
|> json_response(200)
assert result == %{}
assert {:error, :not_found} = Pleroma.Web.OAuth.Token.get_by_token(app, token.token)
end
test "clears the session_id from user cookies" do
user = insert(:user)
app = insert(:oauth_app, scopes: ["read"])
token = insert(:oauth_token, app: app, user: user)
conn =
build_conn()
|> Plug.Session.call(Plug.Session.init(@session_opts))
|> fetch_session()
|> put_session(:user_id, user.id)
|> post("/oauth/revoke", %{
"client_id" => app.client_id,
"client_secret" => app.client_secret,
"token" => token.token
})
refute get_session(conn, :user_id)
end
end
describe "POST /oauth/revoke - bad request" do
test "returns 500" do
response =