Allow revoking refresh tokens

This lets us track 'revoked' tokens separately from 'consumed' tokens.

Author: sandhose

crates/data-model/src/tokens.rs

@@ -118,25 +118,40 @@ pub enum RefreshTokenState {
         consumed_at: DateTime<Utc>,
         next_refresh_token_id: Option<Ulid>,
     },
+    Revoked {
+        revoked_at: DateTime<Utc>,
+    },
 }
 
 impl RefreshTokenState {
     /// Consume the refresh token, returning a new state.
     ///
     /// # Errors
     ///
-    /// Returns an error if the refresh token is already consumed.
+    /// Returns an error if the refresh token is revoked.
     fn consume(
         self,
         consumed_at: DateTime<Utc>,
         replaced_by: &RefreshToken,
     ) -> Result<Self, InvalidTransitionError> {
         match self {
-            Self::Valid => Ok(Self::Consumed {
+            Self::Valid | Self::Consumed { .. } => Ok(Self::Consumed {
                 consumed_at,
                 next_refresh_token_id: Some(replaced_by.id),
             }),
-            Self::Consumed { .. } => Err(InvalidTransitionError),
+            Self::Revoked { .. } => Err(InvalidTransitionError),
+        }
+    }
+
+    /// Revoke the refresh token, returning a new state.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the refresh token is already consumed or revoked.
+    pub fn revoke(self, revoked_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> {
+        match self {
+            Self::Valid => Ok(Self::Revoked { revoked_at }),
+            Self::Consumed { .. } | Self::Revoked { .. } => Err(InvalidTransitionError),
         }
     }
 
@@ -148,19 +163,11 @@ impl RefreshTokenState {
         matches!(self, Self::Valid)
     }
 
-    /// Returns `true` if the refresh token state is [`Consumed`].
-    ///
-    /// [`Consumed`]: RefreshTokenState::Consumed
-    #[must_use]
-    pub fn is_consumed(&self) -> bool {
-        matches!(self, Self::Consumed { .. })
-    }
-
     /// Returns the next refresh token ID, if any.
     #[must_use]
     pub fn next_refresh_token_id(&self) -> Option<Ulid> {
         match self {
-            Self::Valid => None,
+            Self::Valid | Self::Revoked { .. } => None,
             Self::Consumed {
                 next_refresh_token_id,
                 ..
@@ -197,7 +204,7 @@ impl RefreshToken {
     ///
     /// # Errors
     ///
-    /// Returns an error if the refresh token is already consumed.
+    /// Returns an error if the refresh token is revoked.
     pub fn consume(
         mut self,
         consumed_at: DateTime<Utc>,
@@ -206,6 +213,16 @@ impl RefreshToken {
         self.state = self.state.consume(consumed_at, replaced_by)?;
         Ok(self)
     }
+
+    /// Revokes the refresh token and returns a new revoked token
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the refresh token is already revoked.
+    pub fn revoke(mut self, revoked_at: DateTime<Utc>) -> Result<Self, InvalidTransitionError> {
+        self.state = self.state.revoke(revoked_at)?;
+        Ok(self)
+    }
 }
 
 /// Type of token to generate or validate

crates/storage-pg/.sqlx/query-66693f31eff5673e88ca516ee727a709b06455e08b9fd75cc08f142070f330b3.json

@@ -179,7 +179,7 @@ impl OAuth2AccessTokenRepository for PgOAuth2AccessTokenRepository<'_> {
     }
 
     #[tracing::instrument(
-        name = "db.oauth2_access_token.revoked",
+        name = "db.oauth2_access_token.revoke",
         skip_all,
         fields(
             db.query.text,

…19c36bf5983182b0871de6e85036d8df466.json …d3b08fd5d736ecf36845e6fd4bfc515b2cf.jsoncrates/storage-pg/.sqlx/query-5b94c22d44692a16fa5a6edd5dac019c36bf5983182b0871de6e85036d8df466.json renamed to crates/storage-pg/.sqlx/query-6d71188dffc492ddc8f7f21476516d3b08fd5d736ecf36845e6fd4bfc515b2cf.json crates/storage-pg/.sqlx/query-5b94c22d44692a16fa5a6edd5dac019c36bf5983182b0871de6e85036d8df466.json renamed to crates/storage-pg/.sqlx/query-6d71188dffc492ddc8f7f21476516d3b08fd5d736ecf36845e6fd4bfc515b2cf.json

@@ -34,6 +34,7 @@ struct OAuth2RefreshTokenLookup {
     refresh_token: String,
     created_at: DateTime<Utc>,
     consumed_at: Option<DateTime<Utc>>,
+    revoked_at: Option<DateTime<Utc>>,
     oauth2_access_token_id: Option<Uuid>,
     oauth2_session_id: Uuid,
     next_oauth2_refresh_token_id: Option<Uuid>,
@@ -44,17 +45,22 @@ impl TryFrom<OAuth2RefreshTokenLookup> for RefreshToken {
 
     fn try_from(value: OAuth2RefreshTokenLookup) -> Result<Self, Self::Error> {
         let id = value.oauth2_refresh_token_id.into();
-        let state = match (value.consumed_at, value.next_oauth2_refresh_token_id) {
-            (None, None) => RefreshTokenState::Valid,
-            (Some(consumed_at), None) => RefreshTokenState::Consumed {
+        let state = match (
+            value.revoked_at,
+            value.consumed_at,
+            value.next_oauth2_refresh_token_id,
+        ) {
+            (None, None, None) => RefreshTokenState::Valid,
+            (Some(revoked_at), None, None) => RefreshTokenState::Revoked { revoked_at },
+            (None, Some(consumed_at), None) => RefreshTokenState::Consumed {
                 consumed_at,
                 next_refresh_token_id: None,
             },
-            (Some(consumed_at), Some(id)) => RefreshTokenState::Consumed {
+            (None, Some(consumed_at), Some(id)) => RefreshTokenState::Consumed {
                 consumed_at,
                 next_refresh_token_id: Some(Ulid::from(id)),
             },
-            (None, Some(_)) => {
+            _ => {
                 return Err(DatabaseInconsistencyError::on("oauth2_refresh_tokens")
                     .column("next_oauth2_refresh_token_id")
                     .row(id))
@@ -93,6 +99,7 @@ impl OAuth2RefreshTokenRepository for PgOAuth2RefreshTokenRepository<'_> {
                      , refresh_token
                      , created_at
                      , consumed_at
+                     , revoked_at
                      , oauth2_access_token_id
                      , oauth2_session_id
                      , next_oauth2_refresh_token_id
@@ -130,6 +137,7 @@ impl OAuth2RefreshTokenRepository for PgOAuth2RefreshTokenRepository<'_> {
                      , refresh_token
                      , created_at
                      , consumed_at
+                     , revoked_at
                      , oauth2_access_token_id
                      , oauth2_session_id
                      , next_oauth2_refresh_token_id
@@ -237,4 +245,40 @@ impl OAuth2RefreshTokenRepository for PgOAuth2RefreshTokenRepository<'_> {
             .consume(consumed_at, replaced_by)
             .map_err(DatabaseError::to_invalid_operation)
     }
+
+    #[tracing::instrument(
+        name = "db.oauth2_refresh_token.revoke",
+        skip_all,
+        fields(
+            db.query.text,
+            %refresh_token.id,
+            session.id = %refresh_token.session_id,
+        ),
+        err,
+    )]
+    async fn revoke(
+        &mut self,
+        clock: &dyn Clock,
+        refresh_token: RefreshToken,
+    ) -> Result<RefreshToken, Self::Error> {
+        let revoked_at = clock.now();
+        let res = sqlx::query!(
+            r#"
+                UPDATE oauth2_refresh_tokens
+                SET revoked_at = $2
+                WHERE oauth2_refresh_token_id = $1
+            "#,
+            Uuid::from(refresh_token.id),
+            revoked_at,
+        )
+        .traced()
+        .execute(&mut *self.conn)
+        .await?;
+
+        DatabaseError::ensure_affected_rows(&res, 1)?;
+
+        refresh_token
+            .revoke(revoked_at)
+            .map_err(DatabaseError::to_invalid_operation)
+    }
 }

…f36c103e030358262e46a4bd5e4006dc630.json …09785f358b334f5c586c2e358f0d0b4d856.jsoncrates/storage-pg/.sqlx/query-265a981142194216593cd09cd8f6af36c103e030358262e46a4bd5e4006dc630.json renamed to crates/storage-pg/.sqlx/query-a75a6a08c9639053cfc3cffa9d4a009785f358b334f5c586c2e358f0d0b4d856.json crates/storage-pg/.sqlx/query-265a981142194216593cd09cd8f6af36c103e030358262e46a4bd5e4006dc630.json renamed to crates/storage-pg/.sqlx/query-a75a6a08c9639053cfc3cffa9d4a009785f358b334f5c586c2e358f0d0b4d856.json

@@ -85,13 +85,32 @@ pub trait OAuth2RefreshTokenRepository: Send + Sync {
     /// # Errors
     ///
     /// Returns [`Self::Error`] if the underlying repository fails, or if the
-    /// token was already consumed
+    /// token was already consumed or revoked
     async fn consume(
         &mut self,
         clock: &dyn Clock,
         refresh_token: RefreshToken,
         replaced_by: &RefreshToken,
     ) -> Result<RefreshToken, Self::Error>;
+
+    /// Revoke a refresh token
+    ///
+    /// Returns the updated [`RefreshToken`]
+    ///
+    /// # Parameters
+    ///
+    /// * `clock`: The clock used to generate timestamps
+    /// * `refresh_token`: The [`RefreshToken`] to revoke
+    ///
+    /// # Errors
+    ///
+    /// Returns [`Self::Error`] if the underlying repository fails, or if the
+    /// token was already revoked or consumed
+    async fn revoke(
+        &mut self,
+        clock: &dyn Clock,
+        refresh_token: RefreshToken,
+    ) -> Result<RefreshToken, Self::Error>;
 }
 
 repository_impl!(OAuth2RefreshTokenRepository:
@@ -117,4 +136,10 @@ repository_impl!(OAuth2RefreshTokenRepository:
         refresh_token: RefreshToken,
         replaced_by: &RefreshToken,
     ) -> Result<RefreshToken, Self::Error>;
+
+    async fn revoke(
+        &mut self,
+        clock: &dyn Clock,
+        refresh_token: RefreshToken,
+    ) -> Result<RefreshToken, Self::Error>;
 );