Revoke OAuth grants when a user revokes an application

Currently, when a user revokes OAuth applications only
existing access tokens are revoked. If an application has already
requested a code (grant) to later redeem for an access token, the
grant may remain valid and will generate a valid access token
until expired (10 min expiry). This change ensures both access
tokens *and* grants are revoked when a user revoked the application.

app/controllers/oauth/authorized_applications_controller.rb

@@ -16,7 +16,7 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio
     if params[:token_id].present?
       current_resource_owner.oauth_authorized_tokens.find(params[:token_id]).revoke
     else
-      Doorkeeper::AccessToken.revoke_all_for(params[:id], current_resource_owner)
+      Doorkeeper::Application.revoke_tokens_and_grants_for(params[:id], current_resource_owner)
     end
 
     redirect_to applications_profile_url,

changelogs/unreleased/security-200-dblessing-insufficient-oauth-revocation.yml

+---
+title: Revoke OAuth grants when a user revokes an application
+merge_request:
+author:
+type: security

spec/controllers/oauth/authorized_applications_controller_spec.rb

@@ -18,4 +18,20 @@ RSpec.describe Oauth::AuthorizedApplicationsController do
       expect(response).to have_gitlab_http_status(:not_found)
     end
   end
+
+  describe 'DELETE #destroy' do
+    let(:application) { create(:oauth_application) }
+    let!(:grant) { create(:oauth_access_grant, resource_owner_id: user.id, application: application) }
+    let!(:access_token) { create(:oauth_access_token, resource_owner: user, application: application) }
+
+    it 'revokes both access grants and tokens' do
+      expect(grant).not_to be_revoked
+      expect(access_token).not_to be_revoked
+
+      delete :destroy, params: { id: application.id }
+
+      expect(grant.reload).to be_revoked
+      expect(access_token.reload).to be_revoked
+    end
+  end
 end