Clear user's session cookie when an OAuth token is revoked

2024-06-01 08:28:06 +00:00 · 2020-10-29 15:51:18 -05:00 · 2020-10-29 15:51:18 -05:00 · e8b436e1af
parent 6231de27ac
commit e8b436e1af
2 changed files with 41 additions and 1 deletions
--- a/lib/pleroma/web/o_auth/o_auth_controller.ex
+++ b/lib/pleroma/web/o_auth/o_auth_controller.ex
@ -375,7 +375,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do
  def token_revoke(%Plug.Conn{} = conn, %{"token" => _token} = params) do
    with {:ok, app} <- Token.Utils.fetch_app(conn),
         {:ok, _token} <- RevokeToken.revoke(app, params) do
-      json(conn, %{})
+      conn
+      |> Plug.Conn.delete_session(:user_id)
+      |> json(%{})
    else
      _error ->
        # RFC 7009: invalid tokens [in the request] do not cause an error response
--- a/test/pleroma/web/o_auth/o_auth_controller_test.exs
+++ b/test/pleroma/web/o_auth/o_auth_controller_test.exs
@ -1256,6 +1256,44 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
    end
  end

+  describe "POST /oauth/revoke" do
+    test "deletes a token" do
+      app = insert(:oauth_app, scopes: ["read"])
+      token = insert(:oauth_token, app: app)
+
+      result =
+        build_conn()
+        |> post("/oauth/revoke", %{
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret,
+          "token" => token.token
+        })
+        |> json_response(200)
+
+      assert result == %{}
+      assert {:error, :not_found} = Pleroma.Web.OAuth.Token.get_by_token(app, token.token)
+    end
+
+    test "clears the session_id from user cookies" do
+      user = insert(:user)
+      app = insert(:oauth_app, scopes: ["read"])
+      token = insert(:oauth_token, app: app, user: user)
+
+      conn =
+        build_conn()
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session()
+        |> put_session(:user_id, user.id)
+        |> post("/oauth/revoke", %{
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret,
+          "token" => token.token
+        })
+
+      refute get_session(conn, :user_id)
+    end
+  end
+
  describe "POST /oauth/revoke - bad request" do
    test "returns 500" do
      response =