Skip to content

Make OAuth2 authorization code expire #40766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
julien-nc merged 13 commits into from
Oct 5, 2023
Merged

Make OAuth2 authorization code expire #40766

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
807f173
make oauth2 authorization code expire after 10 minutes
julien-nc Jun 20, 2023
2995b09
add tests for oauth2 authorization code expiration
julien-nc Jun 20, 2023
7bba410
cleanup access tokens that are still in authorization state and that …
julien-nc Aug 29, 2023
1ab45ba
refuse oauth authorization code if a token has already been delivered…
julien-nc Aug 29, 2023
779e1d5
delete oauth access token when receiving a code that has expired
julien-nc Aug 29, 2023
ddfc124
add test for refusing to get an oauth token from a code when we're no…
julien-nc Aug 29, 2023
e944980
add db index on oauth2_access_tokens's (token_count, created_at)
julien-nc Sep 1, 2023
c6da994
rename oauth2_access_token's created_at to code_created_at
julien-nc Sep 13, 2023
32f984c
adjust oauth tests
julien-nc Oct 4, 2023
d2bc483
adjust oauth app
julien-nc Oct 4, 2023
da63d3c
update autoload files
julien-nc Oct 4, 2023
98c8a46
update OpenAPI specs
julien-nc Oct 4, 2023
d56950a
adjust phpdoc types in OauthApiController
julien-nc Oct 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
delete oauth access token when receiving a code that has expired 
Signed-off-by: Julien Veyssier <[email protected]>
  • Loading branch information
@julien-nc
julien-nc committed Oct 5, 2023
commit 779e1d51ac1d50c5625a1cc403d732d74b364ccf
3 changes: 3 additions & 0 deletions apps/oauth2/lib/Controller/OauthApiController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,9 @@ public function getToken(
$now = $this->timeFactory->now()->getTimestamp();
$tokenCreatedAt = $accessToken->getCreatedAt();
if ($tokenCreatedAt < $now - self::AUTHORIZATION_CODE_EXPIRES_AFTER) {
// we know this token is not useful anymore
$this->accessTokenMapper->delete($accessToken);

$response = new JSONResponse([
'error' => 'invalid_request',
], Http::STATUS_BAD_REQUEST);
Expand Down