From 3e65fbd3d5bf7380faaf351c39b0787de5186679 Mon Sep 17 00:00:00 2001 From: Aditya Pimpalkar Date: Mon, 15 Apr 2024 11:49:05 +0100 Subject: [PATCH] bug: update revokedAt on PKCE flow (#4918) The authorization token has an expiry of 5 minutes, we already have checks in place to verify this and throw a Forbidden exception. We need to revoke the token once it's used otherwise it could be used multiple times to gain access to tokens till it expires. --- .../core-modules/auth/services/token.service.ts | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/packages/twenty-server/src/engine/core-modules/auth/services/token.service.ts b/packages/twenty-server/src/engine/core-modules/auth/services/token.service.ts index 288bac064..034cf6202 100644 --- a/packages/twenty-server/src/engine/core-modules/auth/services/token.service.ts +++ b/packages/twenty-server/src/engine/core-modules/auth/services/token.service.ts @@ -322,13 +322,13 @@ export class TokenService { assert( authorizationCodeAppToken, 'Authorization code does not exist', - ForbiddenException, + NotFoundException, ); assert( authorizationCodeAppToken.expiresAt.getTime() >= Date.now(), 'Authorization code expired.', - NotFoundException, + ForbiddenException, ); const codeChallenge = crypto @@ -355,7 +355,7 @@ export class TokenService { assert( codeChallengeAppToken.expiresAt.getTime() >= Date.now(), 'code challenge expired.', - NotFoundException, + ForbiddenException, ); assert( @@ -364,6 +364,15 @@ export class TokenService { ForbiddenException, ); + if (codeChallengeAppToken.revokedAt) { + throw new ForbiddenException('Token has been revoked.'); + } + + await this.appTokenRepository.save({ + id: codeChallengeAppToken.id, + revokedAt: new Date(), + }); + userId = codeChallengeAppToken.userId; }