Take into account expiration for AuthCode and OauthToken

2019-08-17 22:22:02 +02:00 · 2019-08-17 22:22:02 +02:00 · 3a0f0ca780
parent 2693ba5838
commit 3a0f0ca780
2 changed files with 12 additions and 0 deletions
--- a/app/oauth/views/token.py
+++ b/app/oauth/views/token.py
@ -47,6 +47,11 @@ def token():
    auth_code: AuthorizationCode = AuthorizationCode.filter_by(code=code).first()
    if not auth_code:
        return jsonify(error=f"no such authorization code {code}"), 400
+    elif auth_code.is_expired():
+        AuthorizationCode.delete(auth_code.id)
+        db.session.commit()
+        LOG.d("delete expired authorization code:%s", auth_code)
+        return jsonify(error=f"{code} already expired"), 400

    if auth_code.client_id != client.id:
        return jsonify(error=f"are you sure this code belongs to you?"), 400
--- a/app/oauth/views/user_info.py
+++ b/app/oauth/views/user_info.py
@ -1,6 +1,8 @@
 from flask import request, jsonify
 from flask_cors import cross_origin

+from app.extensions import db
+from app.log import LOG
 from app.models import OauthToken, ClientUser
 from app.oauth.base import oauth_bp

@ -22,6 +24,11 @@ def user_info():
    oauth_token: OauthToken = OauthToken.get_by(access_token=access_token)
    if not oauth_token:
        return jsonify(error="Invalid access token"), 400
+    elif oauth_token.is_expired():
+        LOG.d("delete oauth token %s", oauth_token)
+        OauthToken.delete(oauth_token.id)
+        db.session.commit()
+        return jsonify(error="Expired access token"), 400

    client_user = ClientUser.get_or_create(
        client_id=oauth_token.client_id, user_id=oauth_token.user_id