diff options
| author | Alex Gleason <alex@alexgleason.me> | 2020-10-29 15:51:18 -0500 |
|---|---|---|
| committer | Alex Gleason <alex@alexgleason.me> | 2020-10-29 15:51:18 -0500 |
| commit | e8b436e1aff226c52458bdb10c058f1ba9ad51ca (patch) | |
| tree | bbe835551eabddd27885c0feef18e5657a2cb795 | |
| parent | 6231de27ac121833a179c07de959ccab2b2202a6 (diff) | |
| download | pleroma-e8b436e1aff226c52458bdb10c058f1ba9ad51ca.tar.gz | |
Clear user's session cookie when an OAuth token is revoked
| -rw-r--r-- | lib/pleroma/web/o_auth/o_auth_controller.ex | 4 | ||||
| -rw-r--r-- | test/pleroma/web/o_auth/o_auth_controller_test.exs | 38 |
2 files changed, 41 insertions, 1 deletions
diff --git a/lib/pleroma/web/o_auth/o_auth_controller.ex b/lib/pleroma/web/o_auth/o_auth_controller.ex index 2d315d4c4..e3cf35a2b 100644 --- a/lib/pleroma/web/o_auth/o_auth_controller.ex +++ b/lib/pleroma/web/o_auth/o_auth_controller.ex @@ -375,7 +375,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do def token_revoke(%Plug.Conn{} = conn, %{"token" => _token} = params) do with {:ok, app} <- Token.Utils.fetch_app(conn), {:ok, _token} <- RevokeToken.revoke(app, params) do - json(conn, %{}) + conn + |> Plug.Conn.delete_session(:user_id) + |> json(%{}) else _error -> # RFC 7009: invalid tokens [in the request] do not cause an error response diff --git a/test/pleroma/web/o_auth/o_auth_controller_test.exs b/test/pleroma/web/o_auth/o_auth_controller_test.exs index d1fe894a8..251918f7b 100644 --- a/test/pleroma/web/o_auth/o_auth_controller_test.exs +++ b/test/pleroma/web/o_auth/o_auth_controller_test.exs @@ -1256,6 +1256,44 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do end end + describe "POST /oauth/revoke" do + test "deletes a token" do + app = insert(:oauth_app, scopes: ["read"]) + token = insert(:oauth_token, app: app) + + result = + build_conn() + |> post("/oauth/revoke", %{ + "client_id" => app.client_id, + "client_secret" => app.client_secret, + "token" => token.token + }) + |> json_response(200) + + assert result == %{} + assert {:error, :not_found} = Pleroma.Web.OAuth.Token.get_by_token(app, token.token) + end + + test "clears the session_id from user cookies" do + user = insert(:user) + app = insert(:oauth_app, scopes: ["read"]) + token = insert(:oauth_token, app: app, user: user) + + conn = + build_conn() + |> Plug.Session.call(Plug.Session.init(@session_opts)) + |> fetch_session() + |> put_session(:user_id, user.id) + |> post("/oauth/revoke", %{ + "client_id" => app.client_id, + "client_secret" => app.client_secret, + "token" => token.token + }) + + refute get_session(conn, :user_id) + end + end + describe "POST /oauth/revoke - bad request" do test "returns 500" do response = |