search

anvilresearch / connect

A modern authorization server built to authenticate your users and protect your APIs
http://anvil.io
MIT License
361 stars 86 forks source link

Model - AccessToken - refresh #315

Open ikb42 opened 8 years ago

ikb42 commented 8 years ago

This currently does

AccessToken.insert({
      iss: settings.issuer,
      uid: at.uid,
      cid: at.cid,
      ei: at.ei,
      rt: random(settings.refresh_token_bytes_range)(),
      scope: at.scope
    }, function (err, token) {
      if (err) { return callback(err) }

      // we should destroy the current token
      AccessToken.delete(at.at, function (err) {
        if (err) { return callback(err) }
        callback(null, token)
      })
    })

The problem with doing the delete after the insert is that if for example the rt or perhaps even the at is the same as before then it would be deleted right after being created - or worse perhaps parts could be deleted, such as the rt. In my case this is happening because I am preserving the rt but it could happen in the general case too, although unlikely.

PetrSnobelt commented 8 years ago

I also have problem with refresh tokens, but I don't see how rt or at can be same. Will be great if you provide unit test.

ikb42 commented 8 years ago

Can't remember the reason, but I needed to keep the refresh token the same which lead to a bug for me with my refresh token being deleted after the new access token was created. With the random refresh token this should not happen.