From 3a0f0ca78062f92e9d7e27141635f9655813ac30 Mon Sep 17 00:00:00 2001
From: Son NK <nguyenkims@hotmail.com>
Date: Sat, 17 Aug 2019 22:22:02 +0200
Subject: [PATCH] Take into account expiration for AuthCode and OauthToken

---
 app/oauth/views/token.py     | 5 +++++
 app/oauth/views/user_info.py | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/app/oauth/views/token.py b/app/oauth/views/token.py
index 6b72aa04..4b72dbbd 100644
--- a/app/oauth/views/token.py
+++ b/app/oauth/views/token.py
@@ -47,6 +47,11 @@ def token():
     auth_code: AuthorizationCode = AuthorizationCode.filter_by(code=code).first()
     if not auth_code:
         return jsonify(error=f"no such authorization code {code}"), 400
+    elif auth_code.is_expired():
+        AuthorizationCode.delete(auth_code.id)
+        db.session.commit()
+        LOG.d("delete expired authorization code:%s", auth_code)
+        return jsonify(error=f"{code} already expired"), 400
 
     if auth_code.client_id != client.id:
         return jsonify(error=f"are you sure this code belongs to you?"), 400
diff --git a/app/oauth/views/user_info.py b/app/oauth/views/user_info.py
index a47c8ec4..0b41316f 100644
--- a/app/oauth/views/user_info.py
+++ b/app/oauth/views/user_info.py
@@ -1,6 +1,8 @@
 from flask import request, jsonify
 from flask_cors import cross_origin
 
+from app.extensions import db
+from app.log import LOG
 from app.models import OauthToken, ClientUser
 from app.oauth.base import oauth_bp
 
@@ -22,6 +24,11 @@ def user_info():
     oauth_token: OauthToken = OauthToken.get_by(access_token=access_token)
     if not oauth_token:
         return jsonify(error="Invalid access token"), 400
+    elif oauth_token.is_expired():
+        LOG.d("delete oauth token %s", oauth_token)
+        OauthToken.delete(oauth_token.id)
+        db.session.commit()
+        return jsonify(error="Expired access token"), 400
 
     client_user = ClientUser.get_or_create(
         client_id=oauth_token.client_id, user_id=oauth_token.user_id