search

bshaffer / oauth2-server-php

A library for implementing an OAuth2 Server in php
http://bshaffer.github.io/oauth2-server-php-docs
MIT License
3.26k stars 952 forks source link

Support for single use tokens #942

Open Faryshta opened 6 years ago

Faryshta commented 6 years ago

There should be a way to configure the server or some special scope to kill the token after its used once regardless of whether or not the request was successful.

The use case would be for sensitive transactions like for example money transfer where an error from the user or the app client sending the same request twice can lead to lost of money.

the app client send a request with the single use token, then the oauth2 server kills the token so it can never be used. the transaction is processed maybe returning status 200 or 400, does not matter.

the app client or the end user screws up, clicks the submit button again or for whatever reason the same request is sent. the server gets the single use token which was already used and expired, halting the request.

neverabe commented 6 years ago

@bshaffer, any clue?

letsjustfixit commented 6 years ago

Invalidate the token within the middleware right after the validation.(revoke token)

Faryshta commented 6 years ago

@letsjustfixit how?

letsjustfixit commented 6 years ago

@Faryshta https://github.com/bshaffer/oauth2-server-php/blob/master/src/OAuth2/Controller/TokenController.php#L294