revoke procedure is now complete, fixes #229

masci · masci · commit 03004028cbd9 · 2015-05-24T12:48:57.000+02:00
diff --git a/README.rst b/README.rst
@@ -96,6 +96,7 @@ master branch
 * ``oauthlib_backend_class`` is now pluggable through Django settings
 * #127: ``application/json`` Content-Type is now supported using ``JSONOAuthLibCore``
 * #238: Fixed redirect uri handling in case of error
+* #229: Invalidate access tokens when getting a new refresh token
 
 0.8.1 [2015-04-27]
 ~~~~~~~~~~~~~~~~~~
diff --git a/docs/changelog.rst b/docs/changelog.rst
@@ -7,6 +7,7 @@ master branch
 * ``oauthlib_backend_class`` is now pluggable through Django settings
 * #127: ``application/json`` Content-Type is now supported using ``JSONOAuthLibCore``
 * #238: Fixed redirect uri handling in case of error
+* #229: Invalidate access tokens when getting a new refresh token
 
 
 0.8.1 [2015-04-27]
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -286,7 +286,7 @@ def save_bearer_token(self, token, request, *args, **kwargs):
         if request.refresh_token:
             # remove used refresh token
             try:
-                RefreshToken.objects.get(token=request.refresh_token).delete()
+                RefreshToken.objects.get(token=request.refresh_token).revoke()
             except RefreshToken.DoesNotExist:
                 assert()  # TODO though being here would be very strange, at least log the error
 
@@ -332,10 +332,11 @@ def revoke_token(self, token, token_type_hint, request, *args, **kwargs):
 
         token_type = token_types.get(token_type_hint, AccessToken)
         try:
-            token_type.objects.get(token=token).delete()
+            token_type.objects.get(token=token).revoke()
         except ObjectDoesNotExist:
             for other_type in [_t for _t in token_types.values() if _t != token_type]:
-                other_type.objects.filter(token=token).delete()
+                # slightly inefficient on Python2, but the queryset contains only one instance
+                list(map(lambda t: t.revoke(), other_type.objects.filter(token=token)))
 
     def validate_user(self, username, password, client, request, *args, **kwargs):
         """
