-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revoke Refresh Token on access token use #769
Conversation
end | ||
|
||
context 'revoked token' do | ||
time = DateTime.now + 1.day |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do not use DateTime.now
without zone. Use one of Time.zone.now
, DateTime.now.current
, DateTime.now.in_time_zone
, DateTime.now.utc
, DateTime.now.getlocal
, DateTime.now.iso8601
, DateTime.now.jisx0301
, DateTime.now.rfc3339
, DateTime.now.to_i
, DateTime.now.to_f
instead.
@tute I have updated code for all your comments from earlier PR, except this one. What about |
You are probably right.
Yep!
Doing it now. Thank you! |
def change | ||
add_column :oauth_access_tokens, :previous_refresh_token, :string, default: "", null: false | ||
end | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to update this migration with the one with the new coding style? Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
Left a few comments, this is looking great. Thank you! |
end | ||
|
||
before do | ||
@time = Time.now.round |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do not use Time.now
without zone. Use one of Time.zone.now
, Time.now.current
, Time.now.in_time_zone
, Time.now.utc
, Time.now.getlocal
, Time.now.iso8601
, Time.now.jisx0301
, Time.now.rfc3339
, Time.now.to_i
, Time.now.to_f
instead.
@tute Thanks for the comments. |
df2f3a8
to
9b64f35
Compare
@tute I think we should instantly revoke token here: def revoke_previous_refresh_token!
if old_refresh_token && !old_refresh_token.revoked?
old_refresh_token.revoke_in(refresh_token_revoked_in)
end
update_attribute :previous_refresh_token, ""
end I will change the code to: def revoke_previous_refresh_token!
if old_refresh_token && !old_refresh_token.revoked?
old_refresh_token.revoke
end
update_attribute :previous_refresh_token, ""
end This method is only used during authentication. |
token = ->(r) { 'token' } | ||
expect(AccessToken).to receive(:by_token).with('token') | ||
Token.authenticate double, token | ||
end | ||
|
||
it 'revokes previous refresh_token if token was found' do | ||
token = ->(r) { 'token' } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unused block argument - r
. If it's necessary, use _
or _r
as an argument name to indicate that it won't be used. Also consider using a proc without arguments instead of a lambda if you want it to accept any arguments but don't care about them.
@tute ping 😉 |
double(Doorkeeper::AccessToken, accessible?: false, revoked?: false, expired?: false, includes_scope?: false, acceptable?: false) | ||
double(Doorkeeper::AccessToken, | ||
accessible?: false, revoked?: false, expired?: false, includes_scope?: false, | ||
acceptable?: false, previous_refresh_token: "", revoke_previous_refresh_token!: true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line is too long. [96/80]
@tute Thanks for a quick review! |
f2a34bb
to
eca7000
Compare
Left a question around documentation for developers: how can they disable this option? Where should we document that? Looking great, thanks for your work! |
|
||
# If you have a `previous_refresh_token` column, refresh tokens will be revoked | ||
# only after a generated access token is used. | ||
# Remove `previous_refresh_token` column, if you would like to have them revoked |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line is too long. [86/80]
87edb5e
to
6bab9a5
Compare
Thanks again for your time 😉 |
# If you have a `previous_refresh_token` column, refresh tokens | ||
# will be revoked only after a generated access token is used. | ||
# Remove `previous_refresh_token` column, if you would like | ||
# to have them revoked as soon as a new access token is issued. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great! Suggested rewording:
If there is a
previous_refresh_token
column, refresh tokens will be revoked after a related access token is used. If there is noprevious_refresh_token
column, previous tokens are revoked as soon as a new access token is created. Comment out this line if you'd rather have refresh tokens instantly revoked.
Two small comments, ready to squash commits together after those! Thank you again. :) |
ae8faad
to
1abd87b
Compare
@tute Updated migration comment, added news detail and squashed. Cheers! |
require 'rails/generators/active_record' | ||
|
||
module Doorkeeper | ||
class PreviousRefreshTokenGenerator < Rails::Generators::Base |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does Rails
need a ::
prefix? I got:
% rails generate doorkeeper:previous_refresh_token
[WARNING] Could not load generator "generators/doorkeeper/previous_refresh_token_generator". Error: uninitialized constant Doorkeeper::Rails::Generators.
/Users/tutec/Sites/opensource/doorkeeper-gem/doorkeeper/lib/generators/doorkeeper/previous_refresh_token_generator.rb:4:in `<module:Doorkeeper>'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something must have changed since the time it was originally created.
Will move module directly into class definition.
The migration didn't run in my Also, suggestion for the commit message:
|
When AccessToken#previous_refresh_token attribute exists, it is populated with the refresh token that issues the access token. This refresh token will be revoked when the access token is authenticated for the first time. If the attribute doesn't exist in the database, doorkeeper will revoke the refresh token as soon as it issues a new access token, regardless of when is it used.
1abd87b
to
cb22b3c
Compare
Indeed, the migration in dummy app was scheduled before the table creation 😉 |
😃 🎉 ❤️❤️❤️ |
Nice work – can't wait to use it in 4.0.0 stable! 👍 |
I am attempting to use |
@kevinelliott all you need is just to add 'previous_refresh_token' column to Access Tokens (see Doorkeeper rake tasks, there must be a generator for migration). |
@Fredar @tute Is there any documentation for the refresh_token_revoked_on_use option? I couldn't find it in https://doorkeeper.gitbook.io/guides/ |
@hickford Dont think so, but it should be pretty straightforward to use. Commit msg explains roughly how it works There is also a migration generator. (if you installed doorkeeper before it was part of default migration set) |
Creating another PR based on #691. Copying description: