refresh token handling, fixes #65

Massimiliano Pippi · Massimiliano Pippi · commit 0c8553616c6d · 2013-09-22T17:10:59.000+02:00
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -205,6 +205,13 @@ def save_bearer_token(self, token, request, *args, **kwargs):
         """
         Save access and refresh token, If refresh token is issued, remove old refresh tokens as in rfc:`6`
         """
+        if request.refresh_token:
+            # remove used refresh token
+            try:
+                RefreshToken.objects.get(token=request.refresh_token).delete()
+            except RefreshToken.DoesNotExist:
+                assert()  # TODO though being here would be very strange, at least log the error
+
         expires = timezone.now() + timedelta(seconds=oauth2_settings.ACCESS_TOKEN_EXPIRE_SECONDS)
         if request.grant_type == 'client_credentials':
             request.user = request.client.user
@@ -218,9 +225,6 @@ def save_bearer_token(self, token, request, *args, **kwargs):
         access_token.save()
 
         if 'refresh_token' in token:
-            # discard old refresh tokens
-            RefreshToken.objects.filter(user=request.user).filter(application=request.client).delete()
-
             refresh_token = RefreshToken(
                 user=request.user,
                 token=token['refresh_token'],
@@ -255,6 +259,7 @@ def validate_refresh_token(self, refresh_token, client, request, *args, **kwargs
         try:
             rt = RefreshToken.objects.get(token=refresh_token)
             request.user = rt.user
+            request.refresh_token = rt
             return rt.application == client
 
         except RefreshToken.DoesNotExist:
diff --git a/oauth2_provider/tests/test_authorization_code.py b/oauth2_provider/tests/test_authorization_code.py
@@ -277,6 +277,15 @@ def test_refresh(self):
         content = json.loads(response.content.decode("utf-8"))
         self.assertTrue('refresh_token' in content)
 
+        # make a second token request to be sure the previous refresh token remains valid, see #65
+        authorization_code = self.get_auth()
+        token_request_data = {
+            'grant_type': 'authorization_code',
+            'code': authorization_code,
+            'redirect_uri': 'http://example.it'
+        }
+        response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data, **auth_headers)
+
         token_request_data = {
             'grant_type': 'refresh_token',
             'refresh_token': content['refresh_token'],
@@ -288,6 +297,12 @@ def test_refresh(self):
         content = json.loads(response.content.decode("utf-8"))
         self.assertTrue('access_token' in content)
 
+        # check refresh token cannot be used twice
+        response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data, **auth_headers)
+        self.assertEqual(response.status_code, 400)
+        content = json.loads(response.content.decode("utf-8"))
+        self.assertTrue('invalid_grant' in content.values())
+
     def test_refresh_no_scopes(self):
         """
         Request an access token using a refresh token without passing any scope
