mirror
/
dex
mirror of https://github.com/dexidp/dex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

server: fix panic caused by deleting refresh token twice through api

pull/1056/head
Eric Chiang 9 years ago
parent
e10fddee2e
commit
f234e3707e
2 changed files with 33 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 21
      server/api.go
  2. 16
      server/api_test.go

21
server/api.go
Unescape View File

@ -266,12 +266,20 @@ func (d dexAPI) RevokeRefresh(ctx context.Context, req *api.RevokeRefreshReq) (*
return nil, err
}
var refreshID string
var (
refreshID string
notFound bool
)
updater := func(old storage.OfflineSessions) (storage.OfflineSessions, error) {
if refreshID = old.Refresh[req.ClientId].ID; refreshID == "" {
return old, fmt.Errorf("user does not have a refresh token for the client = %s", req.ClientId)
refreshRef := old.Refresh[req.ClientId]
if refreshRef == nil || refreshRef.ID == "" {
d.logger.Errorf("api: refresh token issued to client %q for user %q not found for deletion", req.ClientId, id.UserId)
notFound = true
return old, storage.ErrNotFound
}
refreshID = refreshRef.ID
// Remove entry from Refresh list of the OfflineSession object.
delete(old.Refresh, req.ClientId)
@ -286,7 +294,14 @@ func (d dexAPI) RevokeRefresh(ctx context.Context, req *api.RevokeRefreshReq) (*
return nil, err
}
if notFound {
return &api.RevokeRefreshResp{NotFound: true}, nil
}
// Delete the refresh token from the storage
//
// TODO(ericchiang): we don't have any good recourse if this call fails.
// Consider garbage collection of refresh tokens with no associated ref.
if err := d.s.DeleteRefresh(refreshID); err != nil {
d.logger.Errorf("failed to delete refresh token: %v", err)
return nil, err

16
server/api_test.go
Unescape View File

@ -267,9 +267,23 @@ func TestRefreshToken(t *testing.T) {
}
resp, err := client.RevokeRefresh(ctx, &revokeReq)
if err != nil || resp.NotFound {
if err != nil {
t.Fatalf("Unable to revoke refresh tokens for user: %v", err)
}
if resp.NotFound {
t.Errorf("refresh token session wasn't found")
}
// Try to delete again.
//
// See https://github.com/coreos/dex/issues/1055
resp, err = client.RevokeRefresh(ctx, &revokeReq)
if err != nil {
t.Fatalf("Unable to revoke refresh tokens for user: %v", err)
}
if !resp.NotFound {
t.Errorf("refresh token session was found")
}
if resp, _ := client.ListRefresh(ctx, &listReq); len(resp.RefreshTokens) != 0 {
t.Fatalf("Refresh token returned inspite of revoking it.")

Write Preview
Loading…
Cancel
Save