Merge pull request #161 from Geekfish/feature/revocation-searches-all-types

masci · masci · commit dea3d7206148 · 2014-12-15T23:25:14.000+01:00
Token Revocation - extend search to all token types.
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -6,6 +6,7 @@
 
 from django.utils import timezone
 from django.contrib.auth import authenticate
+from django.core.exceptions import ObjectDoesNotExist
 from oauthlib.oauth2 import RequestValidator
 
 from .compat import unquote_plus
@@ -304,22 +305,20 @@ def revoke_token(self, token, token_type_hint, request, *args, **kwargs):
         :param token_type_hint: access_token or refresh_token.
         :param request: The HTTP Request (oauthlib.common.Request)
         """
-        if token_type_hint not in [None, 'access_token', 'refresh_token']:
+        if token_type_hint not in ['access_token', 'refresh_token']:
             token_type_hint = None
 
-        if token_type_hint in [None, 'access_token']:
-            try:
-                AccessToken.objects.get(token=token).delete()
-                return
-            except AccessToken.DoesNotExist:
-                pass
+        token_types = {
+            'access_token': AccessToken,
+            'refresh_token': RefreshToken,
+        }
 
-        if token_type_hint in [None, 'refresh_token']:
-            try:
-                RefreshToken.objects.get(token=token).delete()
-                return
-            except RefreshToken.DoesNotExist:
-                pass
+        token_type = token_types.get(token_type_hint, AccessToken)
+        try:
+            token_type.objects.get(token=token).delete()
+        except ObjectDoesNotExist:
+            for other_type in [_t for _t in token_types.values() if _t != token_type]:
+                other_type.objects.filter(token=token).delete()
 
     def validate_user(self, username, password, client, request, *args, **kwargs):
         """
diff --git a/oauth2_provider/tests/test_token_revocation.py b/oauth2_provider/tests/test_token_revocation.py
@@ -118,3 +118,27 @@ def test_revoke_refresh_token(self):
         response = self.client.post(url)
         self.assertEqual(response.status_code, 200)
         self.assertFalse(RefreshToken.objects.filter(id=rtok.id).exists())
+
+    def test_revoke_token_with_wrong_hint(self):
+        """
+        From the revocation rfc, `Section 4.1.2`_ :
+
+        If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token typeso
+        .. _`Section 4.1.2`: http://tools.ietf.org/html/draft-ietf-oauth-revocation-11#section-4.1.2
+        """
+        tok = AccessToken.objects.create(user=self.test_user, token='1234567890',
+                                         application=self.application,
+                                         expires=timezone.now()+datetime.timedelta(days=1),
+                                         scope='read write')
+
+        query_string = urlencode({
+            'client_id': self.application.client_id,
+            'client_secret': self.application.client_secret,
+            'token': tok.token,
+            'token_type_hint': 'refresh_token'
+        })
+        url = "{url}?{qs}".format(url=reverse('oauth2_provider:revoke-token'), qs=query_string)
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertFalse(AccessToken.objects.filter(id=tok.id).exists())
+
