Commit 122f2da

mo <mo@mokhan.ca>
2018-10-27 17:07:19
RFC-7009 - revoked associated grant and tokens.
Depending on the authorization server's revocation policy, the revocation of a particular token may cause the revocation of related tokens and the underlying authorization grant. If the particular token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note). If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well.
main
1 parent 1ebe73f
Changed files (3)
app
models
authorization.rb
token.rb
spec
models
token_spec.rb
app/models/authorization.rb
@@ -39,7 +39,9 @@ class Authorization < ApplicationRecord
   def revoke!
     raise 'already revoked' if revoked?
 
-    update!(revoked_at: Time.now)
+    now = Time.now
+    update!(revoked_at: now)
+    tokens.update_all(revoked_at: now)
   end
 
   def revoked?
app/models/token.rb
@@ -23,6 +23,7 @@ class Token < ApplicationRecord
 
   def revoke!
     update!(revoked_at: Time.now)
+    authorization&.revoke!
   end
 
   def revoked?
spec/models/token_spec.rb
@@ -14,6 +14,18 @@ RSpec.describe Token, type: :model do
 
       specify { expect(subject.reload.revoked_at.to_i).to eql(DateTime.now.to_i) }
     end
+
+    context "when a token associated with an authorization grant is revoked" do
+      subject { create(:access_token, authorization: authorization) }
+
+      let(:authorization) { create(:authorization) }
+      let!(:other_token) { create(:access_token, authorization: authorization) }
+
+      before { subject.revoke! }
+
+      specify { expect(authorization.reload).to be_revoked }
+      specify { expect(other_token.reload).to be_revoked }
+    end
   end
 
   describe ".expired" do