Merge branch 'DEP-368-fix-permanent-refresh-tokens' of https://github.com/waveaccounting/django-oauth-toolkit into waveaccounting-DEP-368-fix-permanent-refresh-tokens

masci · masci · commit 1623bcfbc5ef · 2015-01-07T17:21:25.000+01:00
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -331,9 +331,10 @@ def validate_user(self, username, password, client, request, *args, **kwargs):
         return False
 
     def get_original_scopes(self, refresh_token, request, *args, **kwargs):
-        # TODO: since this method is invoked *after* validate_refresh_token, could we avoid this
-        # second query for RefreshToken?
-        rt = RefreshToken.objects.get(token=refresh_token)
+        # Avoid second query for RefreshToken since this method is invoked *after* validate_refresh_token.
+        rt = request.refresh_token
+        # Restore request.refresh_token
+        request.refresh_token = rt.token
         return rt.access_token.scope
 
     def validate_refresh_token(self, refresh_token, client, request, *args, **kwargs):
@@ -344,6 +345,7 @@ def validate_refresh_token(self, refresh_token, client, request, *args, **kwargs
         try:
             rt = RefreshToken.objects.get(token=refresh_token)
             request.user = rt.user
+            # Temporary store RefreshToken instance to be reused by get_original_scopes.
             request.refresh_token = rt
             return rt.application == client
 
diff --git a/oauth2_provider/tests/test_authorization_code.py b/oauth2_provider/tests/test_authorization_code.py
@@ -3,6 +3,7 @@
 import base64
 import json
 import datetime
+import mock
 
 from django.test import TestCase, RequestFactory
 from django.core.urlresolvers import reverse
@@ -11,6 +12,7 @@
 from ..compat import urlparse, parse_qs, urlencode, get_user_model
 from ..models import get_application_model, Grant, AccessToken
 from ..settings import oauth2_settings
+from ..oauth2_validators import OAuth2Validator
 from ..views import ProtectedResourceView
 
 from .test_utils import TestCaseUtils
@@ -495,6 +497,36 @@ def test_refresh_fail_repeating_requests(self):
         response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data, **auth_headers)
         self.assertEqual(response.status_code, 401)
 
+    def test_refresh_repeating_requests_non_rotating_tokens(self):
+        """
+        Try refreshing an access token with the same refresh token more than once when not rotating tokens.
+        """
+        self.client.login(username="test_user", password="123456")
+        authorization_code = self.get_auth()
+
+        token_request_data = {
+            'grant_type': 'authorization_code',
+            'code': authorization_code,
+            'redirect_uri': 'http://example.it'
+        }
+        auth_headers = self.get_basic_auth_header(self.application.client_id, self.application.client_secret)
+
+        response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data, **auth_headers)
+        content = json.loads(response.content.decode("utf-8"))
+        self.assertTrue('refresh_token' in content)
+
+        token_request_data = {
+            'grant_type': 'refresh_token',
+            'refresh_token': content['refresh_token'],
+            'scope': content['scope'],
+        }
+
+        with mock.patch('oauthlib.oauth2.rfc6749.request_validator.RequestValidator.rotate_refresh_token', return_value=False):
+            response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data, **auth_headers)
+            self.assertEqual(response.status_code, 200)
+            response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data, **auth_headers)
+            self.assertEqual(response.status_code, 200)
+
     def test_basic_auth_bad_authcode(self):
         """
         Request an access token using a bad authorization code
diff --git a/oauth2_provider/tests/test_models.py b/oauth2_provider/tests/test_models.py
@@ -10,7 +10,7 @@
 from django.test.utils import override_settings
 from django.core.exceptions import ValidationError
 
-from ..models import AccessToken, get_application_model
+from ..models import AccessToken, get_application_model, Grant, AccessToken, RefreshToken
 from ..compat import get_user_model
 
 
@@ -98,3 +98,24 @@ def test_related_objects(self):
         related_object_names = [ro.name for ro in UserModel._meta.get_all_related_objects()]
         self.assertNotIn('oauth2_provider:application', related_object_names)
         self.assertIn('tests:testapplication', related_object_names)
+
+
+class TestGrantModel(TestCase):
+
+    def test_str(self):
+        grant = Grant(code="test_code")
+        self.assertEqual("%s" % grant, grant.code)
+
+
+class TestAccessTokenModel(TestCase):
+
+    def test_str(self):
+        access_token = AccessToken(token="test_token")
+        self.assertEqual("%s" % access_token, access_token.token)
+
+
+class TestRefreshTokenModel(TestCase):
+
+    def test_str(self):
+        refresh_token = RefreshToken(token="test_token")
+        self.assertEqual("%s" % refresh_token, refresh_token.token)
