bug: update revokedAt on PKCE flow (#4918)

The authorization token has an expiry of 5 minutes, we already have checks in place to verify this and throw a Forbidden exception. We need to revoke the token once it's used otherwise it could be used multiple times to gain access to tokens till it expires.
2024-04-15 11:49:05 +01:00
parent 56b7c84116
commit 3e65fbd3d5
1 changed files with 12 additions and 3 deletions
--- a/packages/twenty-server/src/engine/core-modules/auth/services/token.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/services/token.service.ts
@ -322,13 +322,13 @@ export class TokenService {
      assert(
        authorizationCodeAppToken,
        'Authorization code does not exist',
-        ForbiddenException,
+        NotFoundException,
      );

      assert(
        authorizationCodeAppToken.expiresAt.getTime() >= Date.now(),
        'Authorization code expired.',
-        NotFoundException,
+        ForbiddenException,
      );

      const codeChallenge = crypto
@ -355,7 +355,7 @@ export class TokenService {
      assert(
        codeChallengeAppToken.expiresAt.getTime() >= Date.now(),
        'code challenge expired.',
-        NotFoundException,
+        ForbiddenException,
      );

      assert(
@ -364,6 +364,15 @@ export class TokenService {
        ForbiddenException,
      );

+      if (codeChallengeAppToken.revokedAt) {
+        throw new ForbiddenException('Token has been revoked.');
+      }
+
+      await this.appTokenRepository.save({
+        id: codeChallengeAppToken.id,
+        revokedAt: new Date(),
+      });
+
      userId = codeChallengeAppToken.userId;
    }