Commit 9e9d97f7 authored by Drew Blessing's avatar Drew Blessing Committed by Drew Blessing

Revoke OAuth grants when a user revokes an application

Currently, when a user revokes OAuth applications only
existing access tokens are revoked. If an application has already
requested a code (grant) to later redeem for an access token, the
grant may remain valid and will generate a valid access token
until expired (10 min expiry). This change ensures both access
tokens *and* grants are revoked when a user revoked the application.
parent e85930c5
...@@ -16,7 +16,7 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio ...@@ -16,7 +16,7 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio
if params[:token_id].present? if params[:token_id].present?
current_resource_owner.oauth_authorized_tokens.find(params[:token_id]).revoke current_resource_owner.oauth_authorized_tokens.find(params[:token_id]).revoke
else else
Doorkeeper::AccessToken.revoke_all_for(params[:id], current_resource_owner) Doorkeeper::Application.revoke_tokens_and_grants_for(params[:id], current_resource_owner)
end end
redirect_to applications_profile_url, redirect_to applications_profile_url,
......
---
title: Revoke OAuth grants when a user revokes an application
merge_request:
author:
type: security
...@@ -18,4 +18,20 @@ RSpec.describe Oauth::AuthorizedApplicationsController do ...@@ -18,4 +18,20 @@ RSpec.describe Oauth::AuthorizedApplicationsController do
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:not_found)
end end
end end
describe 'DELETE #destroy' do
let(:application) { create(:oauth_application) }
let!(:grant) { create(:oauth_access_grant, resource_owner_id: user.id, application: application) }
let!(:access_token) { create(:oauth_access_token, resource_owner: user, application: application) }
it 'revokes both access grants and tokens' do
expect(grant).not_to be_revoked
expect(access_token).not_to be_revoked
delete :destroy, params: { id: application.id }
expect(grant.reload).to be_revoked
expect(access_token.reload).to be_revoked
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment