Add ability to revoke OAuth clients
Add ability to revoke OAuth clients.
When a OAuth client has revoked: true
property, we log them out and redirect to /login/token-revoked
Token was revoked
We're very sorry, but the token you were using was revoked.
You probably need to update your client, https://gitter.im/apps
Keep in mind we still have the same logic behind an invalid token. The following locations are just where we will actually redirect to /login/token-revoked
instead of a generic 401.
-
server/web/middlewares/configure-csrf.js
for session -
server/web/middlewares/authenticate-bearer.js
for?access_token=xxx
query parameter - Any others that should be here?
🤔 -
server/web/middlewares/rememberme-middleware.js
doesn't seem to deal directly with access tokens, just "auth token" hashes to match against. Not sure how/when this is applied asreq.user
was always in place and the logic here was skipped anyways😕 -
server/web/passport.js
is used for the API and we shouldn't do any redirecting, just give the normal 401 status -
server/web/bayeux/authenticator.js
is used for the WS bayeux API and we shouldn't do any redirecting, just give the normal 401 status
-
npm run mocha -- test/integration/services/oauth-service-test.js
db.oauthclients.insert({
name: 'Random test client1',
tag: 'random-test-client1',
clientKey: 'random-test-client1-key',
clientSecret: 'xxx',
});
db.oauthclients.update({ clientKey: 'random-test-client1-key' }, {
$set: {
revoked: true
}
});
db.oauthaccesstokens.insert({
token: 'xxx',
userId: db.users.findOne({ username: 'MadLittleMods' })._id,
clientId: db.oauthclients.findOne({ clientKey: 'random-test-client1-key' })._id,
});
Edited by username-removed-892863