fix: handle inactive token error (ory#712)

shipperizer · Jan 3, 2024 · b8b2e73 · b8b2e73
1 parent 75dfe1c
commit b8b2e73
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/handler/oauth2/revocation.go b/handler/oauth2/revocation.go
@@ -80,8 +80,9 @@ func (r *TokenRevocationHandler) RevokeToken(ctx context.Context, token string,
 }
 
 func storeErrorsToRevocationError(err1, err2 error) error {
-	// both errors are 404 or nil <=> the token is revoked
-	if (errors.Is(err1, fosite.ErrNotFound) || err1 == nil) && (errors.Is(err2, fosite.ErrNotFound) || err2 == nil) {
+	// both errors are fosite.ErrNotFound and fosite.ErrInactiveToken or nil <=> the token is revoked
+	if (errors.Is(err1, fosite.ErrNotFound) || errors.Is(err1, fosite.ErrInactiveToken) || err1 == nil) &&
+		(errors.Is(err2, fosite.ErrNotFound) || errors.Is(err2, fosite.ErrInactiveToken) || err2 == nil) {
 		return nil
 	}
 

diff --git a/handler/oauth2/revocation_test.go b/handler/oauth2/revocation_test.go
@@ -161,6 +161,35 @@ func TestRevokeToken(t *testing.T) {
 				store.EXPECT().GetRefreshTokenSession(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil, fosite.ErrNotFound)
 			},
 		},
+		{
+
+			description: "should pass - refresh token discovery first; refresh token is inactive",
+			expectErr:   nil,
+			client:      &fosite.DefaultClient{ID: "bar"},
+			mock: func() {
+				token = "foo"
+				tokenType = fosite.RefreshToken
+				rtStrat.EXPECT().RefreshTokenSignature(gomock.Any(), token)
+				store.EXPECT().GetRefreshTokenSession(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil, fosite.ErrInactiveToken)
+
+				atStrat.EXPECT().AccessTokenSignature(gomock.Any(), token)
+				store.EXPECT().GetAccessTokenSession(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil, fosite.ErrNotFound)
+			},
+		},
+		{
+			description: "should pass - access token discovery first; refresh token is inactive",
+			expectErr:   nil,
+			client:      &fosite.DefaultClient{ID: "bar"},
+			mock: func() {
+				token = "foo"
+				tokenType = fosite.AccessToken
+				atStrat.EXPECT().AccessTokenSignature(gomock.Any(), token)
+				store.EXPECT().GetAccessTokenSession(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil, fosite.ErrNotFound)
+
+				rtStrat.EXPECT().RefreshTokenSignature(gomock.Any(), token)
+				store.EXPECT().GetRefreshTokenSession(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil, fosite.ErrInactiveToken)
+			},
+		},
 		{
 			description: "should fail - store error for access token get",
 			expectErr:   fosite.ErrTemporarilyUnavailable,