-
-
Notifications
You must be signed in to change notification settings - Fork 367
/
revocation.go
73 lines (59 loc) · 2.39 KB
/
revocation.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
// Copyright © 2024 Ory Corp
// SPDX-License-Identifier: Apache-2.0
package oauth2
import (
"context"
"github.com/ory/x/errorsx"
"github.com/pkg/errors"
"github.com/ory/fosite"
)
type TokenRevocationHandler struct {
TokenRevocationStorage TokenRevocationStorage
RefreshTokenStrategy RefreshTokenStrategy
AccessTokenStrategy AccessTokenStrategy
}
// RevokeToken implements https://tools.ietf.org/html/rfc7009#section-2.1
// The token type hint indicates which token type check should be performed first.
func (r *TokenRevocationHandler) RevokeToken(ctx context.Context, token string, tokenType fosite.TokenType, client fosite.Client) error {
discoveryFuncs := []func() (request fosite.Requester, err error){
func() (request fosite.Requester, err error) {
// Refresh token
signature := r.RefreshTokenStrategy.RefreshTokenSignature(ctx, token)
return r.TokenRevocationStorage.GetRefreshTokenSession(ctx, signature, nil)
},
func() (request fosite.Requester, err error) {
// Access token
signature := r.AccessTokenStrategy.AccessTokenSignature(ctx, token)
return r.TokenRevocationStorage.GetAccessTokenSession(ctx, signature, nil)
},
}
// Token type hinting
if tokenType == fosite.AccessToken {
discoveryFuncs[0], discoveryFuncs[1] = discoveryFuncs[1], discoveryFuncs[0]
}
var ar fosite.Requester
var err1, err2 error
if ar, err1 = discoveryFuncs[0](); err1 != nil {
ar, err2 = discoveryFuncs[1]()
}
// err2 can only be not nil if first err1 was not nil
if err2 != nil {
return storeErrorsToRevocationError(err1, err2)
}
if ar.GetClient().GetID() != client.GetID() {
return errorsx.WithStack(fosite.ErrUnauthorizedClient)
}
requestID := ar.GetID()
err1 = r.TokenRevocationStorage.RevokeRefreshToken(ctx, requestID)
err2 = r.TokenRevocationStorage.RevokeAccessToken(ctx, requestID)
return storeErrorsToRevocationError(err1, err2)
}
func storeErrorsToRevocationError(err1, err2 error) error {
// both errors are fosite.ErrNotFound and fosite.ErrInactiveToken or nil <=> the token is revoked
if (errors.Is(err1, fosite.ErrNotFound) || errors.Is(err1, fosite.ErrInactiveToken) || err1 == nil) &&
(errors.Is(err2, fosite.ErrNotFound) || errors.Is(err2, fosite.ErrInactiveToken) || err2 == nil) {
return nil
}
// there was an unexpected error => the token may still exist and the client should retry later
return errorsx.WithStack(fosite.ErrTemporarilyUnavailable)
}