Revoke token on wrong auth

[ivan1986]

if login on email have not access can not relogin on other
if add in -- If no whitelist or blacklist, match on domain

https.request("https://accounts.google.com/o/oauth2/revoke","token="..access_token)

before return 401
all ok

maybe add option?

[ivan1986]

  -- If no whitelist or blacklist, match on domain
  if not whitelist and not blacklist and domain then
    if oauth_domain ~= domain then
      if debug then
        ngx.log(ngx.ERR, "DEBUG: "..email.." not in "..domain)
      end

      https.request("https://accounts.google.com/o/oauth2/revoke","token="..access_token)

      return ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
  end

  if whitelist then
    if not string.find(" " .. whitelist .. " ", " " .. email .. " ") then
      if debug then
        ngx.log(ngx.ERR, "DEBUG: "..email.." not in whitelist")
      end

      https.request("https://accounts.google.com/o/oauth2/revoke","token="..access_token)

      return ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
  end

  if blacklist then
    if string.find(" " .. blacklist .. " ", " " .. email .. " ") then
      if debug then
        ngx.log(ngx.ERR, "DEBUG: "..email.." in blacklist")
      end

      https.request("https://accounts.google.com/o/oauth2/revoke","token="..access_token)

      return ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
  end

[awestendorf]

That sounds reasonable. Can you put that into a PR?

[ivan1986]

@awestendorf hmmm
ping?

[awestendorf]

Apologies, I forgot all about this. I'll try to test it soon.