Merge pull request #55 from brighthive/HIVE-1298-force-log-out

feat: Expire and revoke deactivated user tokens (Hive 1298)

Author: reginafcompton

authserver/api/user.py

@@ -197,6 +197,11 @@ def _deactivate(self, user_id: str):
         user.can_login = False
         user.date_last_updated = datetime.utcnow()
 
+        tokens = OAuth2Token.query.filter_by(user_id=user.id).all()
+        for token in tokens:
+            token.revoked = True
+            token.expires_in = 0
+
         clients = OAuth2Client.query.filter_by(user_id=user_id).all()
         for client in clients:
             client.client_secret = None

tests/api/test_user_resource.py

@@ -154,7 +154,7 @@ def test_post_user_deactivate_invalid_user_id(self, mocker, client):
             equal("No resource with identifier '123bad' found.")
         )
 
-    def test_post_user_deactivate(self, mocker, client, user, oauth_client):
+    def test_post_user_deactivate(self, mocker, client, user, oauth_client, oauth_token):
         mocker.patch(
             "authlib.integrations.flask_oauth2.ResourceProtector.acquire_token",
             return_value=True,
@@ -175,6 +175,10 @@ def test_post_user_deactivate(self, mocker, client, user, oauth_client):
             "/clients/{}".format(oauth_client.id), headers={})
         expect(response.json["response"]["client_secret"]).to(be(None))
 
+        # Assert that the user's token has been revoked and expired
+        expect(oauth_token.revoked).to(be(True))
+        expect(oauth_token.is_access_token_expired()).to(be(True))
+
         # Clean up (n.b., clean up should happen in the conftest – between each test.)
         client.delete(f"/users/{user.id}", headers={})
 

tests/conftest.py

@@ -2,7 +2,7 @@
 
 import json
 import os
-from time import sleep
+from time import sleep, time
 from uuid import uuid4
 
 import pytest
@@ -13,7 +13,7 @@
 
 from authserver import create_app
 from authserver.config import ConfigurationFactory
-from authserver.db import db, User, OAuth2Client
+from authserver.db import db, User, OAuth2Client, OAuth2Token
 from authserver.utilities import PostgreSQLContainer
 
 
@@ -113,3 +113,18 @@ def oauth_client(user):
     db.session.add(oauth_client)
 
     return oauth_client
+
+
+@pytest.fixture
+def oauth_token(user):
+    data = {
+        "access_token": str(uuid4()).replace("-", ""),
+        "issued_at": int(time()) - 865000,
+        "expires_in": 965000,
+        "user_id": user.id
+    }
+    token = OAuth2Token(**data)
+
+    db.session.add(token)
+
+    return token