AuthorizationCode not revoked early enough

[Uzlopak]

This is a small security issue if I understood bluebirds tap method correctly.

See also:
oauthjs/node-oauth2-server#637

I think we should revoke the AuthorizationCode much much earlier, by moving the revokeAuthorizationCode call above the redirectUri check.

node-oauth2-server/lib/grant-types/authorization-code-grant-type.js

Line 68 in 485147f

.tap(function(code) {

An attack on the authorizationCode grant is usually based on a malicious redirect_uri. So if the authorization code is valid, we load the token, then tap on validateRedirectUri, and if the redirect_uri is invalid, we error and we are not calling revokeAuthorizationCode. So the authorizationCode is still existing despite it was used already.

[jankapunkt]

We are about to remove Bluebird soon so we need to take this into consideration. @jwerre is currently working on a first proof of concept.

[jwerre]

Yes, I agree. Removing Bluebird will be the next version so we should probably do this in this version as well. Can you make a PR for this @Uzlopak.

[Uzlopak]

@jwerre a pr to move the revokation a step higher? Or a or for removing bluebird?

[jwerre]

to move the revokation