fix(refresh-token): validate scope before revoking token #390

Author: runeb

lib/grant-types/refresh-token-grant-type.js

@@ -54,10 +54,12 @@ class RefreshTokenGrantType extends AbstractGrantType {
 
     let token;
     token = await this.getRefreshToken(request, client);
-    token = await this.revokeToken(token);
 
+    // Validate scope before revoking token to prevent destroying tokens on scope validation errors
     const scope = this.getScope(request, token);
 
+    token = await this.revokeToken(token);
+
     return this.saveToken(token.user, client, scope);
   }