MCPcopy Index your code
hub / github.com/coder/coder / revokeRefreshTokenInTx

Function revokeRefreshTokenInTx

coderd/oauth2provider/revoke.go:119–161  ·  view source on GitHub ↗
(ctx context.Context, db database.Store, token string, appID uuid.UUID)

Source from the content-addressed store, hash-verified

117}
118
119func revokeRefreshTokenInTx(ctx context.Context, db database.Store, token string, appID uuid.UUID) error {
120 // Parse the refresh token using the existing function
121 parsedToken, err := ParseFormattedSecret(token)
122 if err != nil {
123 return ErrInvalidTokenFormat
124 }
125
126 // Try to find refresh token by prefix
127 //nolint:gocritic // Using AsSystemOAuth2 for OAuth2 public token revocation endpoint
128 dbToken, err := db.GetOAuth2ProviderAppTokenByPrefix(dbauthz.AsSystemOAuth2(ctx), []byte(parsedToken.Prefix))
129 if err != nil {
130 if errors.Is(err, sql.ErrNoRows) {
131 // Token not found - return success per RFC 7009 (don't reveal token existence)
132 return nil
133 }
134 return xerrors.Errorf("get oauth2 provider app token by prefix: %w", err)
135 }
136
137 equal := apikey.ValidateHash(dbToken.RefreshHash, parsedToken.Secret)
138 if !equal {
139 return xerrors.Errorf("invalid refresh token")
140 }
141
142 // Verify ownership
143 //nolint:gocritic // Using AsSystemOAuth2 for OAuth2 public token revocation endpoint
144 appSecret, err := db.GetOAuth2ProviderAppSecretByID(dbauthz.AsSystemOAuth2(ctx), dbToken.AppSecretID)
145 if err != nil {
146 return xerrors.Errorf("get oauth2 provider app secret: %w", err)
147 }
148 if appSecret.AppID != appID {
149 return ErrTokenNotBelongsToClient
150 }
151
152 // Delete the associated API key, which should cascade to remove the refresh token
153 // According to RFC 7009, when a refresh token is revoked, associated access tokens should be invalidated
154 //nolint:gocritic // Using AsSystemOAuth2 for OAuth2 public token revocation endpoint
155 err = db.DeleteAPIKeyByID(dbauthz.AsSystemOAuth2(ctx), dbToken.APIKeyID)
156 if err != nil && !errors.Is(err, sql.ErrNoRows) {
157 return xerrors.Errorf("delete api key: %w", err)
158 }
159
160 return nil
161}
162
163func revokeAPIKeyInTx(ctx context.Context, db database.Store, token string, appID uuid.UUID) error {
164 keyID, secret, err := httpmw.SplitAPIToken(token)

Callers 1

RevokeTokenFunction · 0.85

Calls 8

AsSystemOAuth2Function · 0.92
ValidateHashFunction · 0.92
ParseFormattedSecretFunction · 0.85
DeleteAPIKeyByIDMethod · 0.65
IsMethod · 0.45
ErrorfMethod · 0.45

Tested by

no test coverage detected