Skip to content

Commit

Permalink
oauth2: Fixes clients being able to revoke any token (#677)
Browse files Browse the repository at this point in the history 
Closes #676
  • Loading branch information
@arekkas
arekkas authored Dec 4, 2017
1 parent 7d5d857 commit df8e6eb
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 11 deletions.
6 changes: 3 additions & 3 deletions Gopkg.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Gopkg.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@

[[constraint]]
name = "github.com/ory/fosite"
version = "0.13.0"
version = "0.13.1"

[[constraint]]
name = "github.com/ory/graceful"
Expand Down
21 changes: 14 additions & 7 deletions oauth2/revocator_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ func createAccessTokenSession(subject, client string, token string, expiresAt ti

func TestRevoke(t *testing.T) {
var (
tokens = pkg.Tokens(3)
tokens = pkg.Tokens(4)
store = storage.NewExampleStore()
now = time.Now().Round(time.Second)
)
Expand All @@ -73,9 +73,10 @@ func TestRevoke(t *testing.T) {
handler.SetRoutes(router)
server := httptest.NewServer(router)

createAccessTokenSession("alice", "siri", tokens[0][0], now.Add(time.Hour), store, nil)
createAccessTokenSession("siri", "siri", tokens[1][0], now.Add(time.Hour), store, nil)
createAccessTokenSession("siri", "doesnt-exist", tokens[2][0], now.Add(-time.Hour), store, nil)
createAccessTokenSession("alice", "my-client", tokens[0][0], now.Add(time.Hour), store, nil)
createAccessTokenSession("siri", "my-client", tokens[1][0], now.Add(time.Hour), store, nil)
createAccessTokenSession("siri", "my-client", tokens[2][0], now.Add(-time.Hour), store, nil)
createAccessTokenSession("siri", "doesnt-exist", tokens[3][0], now.Add(-time.Hour), store, nil)

client := hydra.NewOAuth2ApiWithBasePath(server.URL)
client.Configuration.Username = "my-client"
Expand All @@ -88,10 +89,16 @@ func TestRevoke(t *testing.T) {
{
token: "invalid",
},
{
token: tokens[3][1],
assert: func(t *testing.T) {
assert.Len(t, store.AccessTokens, 4)
},
},
{
token: tokens[0][1],
assert: func(t *testing.T) {
assert.Len(t, store.AccessTokens, 2)
assert.Len(t, store.AccessTokens, 3)
},
},
{
Expand All @@ -100,13 +107,13 @@ func TestRevoke(t *testing.T) {
{
token: tokens[2][1],
assert: func(t *testing.T) {
assert.Len(t, store.AccessTokens, 1)
assert.Len(t, store.AccessTokens, 2)
},
},
{
token: tokens[1][1],
assert: func(t *testing.T) {
assert.Len(t, store.AccessTokens, 0)
assert.Len(t, store.AccessTokens, 1)
},
},
} {
Expand Down

0 comments on commit df8e6eb

Please sign in to comment.