Implements Refresh Token Flow for Meteor 3

leaonline · Aug 1, 2024 · 3ba0c44 · 3ba0c44
1 parent 411b17d
commit 3ba0c44
Show file tree

Hide file tree

Showing 7 changed files with 57 additions and 5 deletions.
diff --git a/lib/model/meteor-model.js b/lib/model/meteor-model.js
@@ -110,7 +110,7 @@ export const saveAuthorizationCode = async (code, client, user) => {
     redirectUri,
     scope: code.scope,
     client: {
-      id: client.client_id
+      id: client.clientId
     },
     user: {
       id: user.id
@@ -154,3 +154,8 @@ export const saveRefreshToken = async (token, clientId, expires, user) => {
 export const getRefreshToken = async (refreshToken) => {
   return collections.RefreshTokens.findOneAsync({ refreshToken })
 }
+
+export const revokeToken = async (token) => {
+  const result = await collections.AccessTokens.removeAsync({ refreshToken: token.refreshToken })
+  return !!result
+}
diff --git a/lib/model/model.js b/lib/model/model.js
@@ -10,7 +10,8 @@ import {
   saveAuthorizationCode,
   saveRefreshToken,
   saveToken,
-  getAccessToken
+  getAccessToken,
+  revokeToken
 } from './meteor-model'
 
 /**
@@ -176,6 +177,14 @@ class OAuthMeteorModel {
   async verifyScope (accessToken, scope) {
     return accessToken.scope.sort().join(',') === scope.sort().join(',')
   }
+
+  /**
+   * revokeToken(refreshToken) is required and should return true
+   */
+  async revokeToken (refreshToken) {
+    this.log(`revokeToken (refreshToken: ${refreshToken})`)
+    return revokeToken(refreshToken)
+  }
 }
 
 export { OAuthMeteorModel }
diff --git a/lib/oauth.js b/lib/oauth.js
@@ -17,6 +17,7 @@ import { validateParams } from './validation/validateParams'
 import { requiredAuthorizeGetParams } from './validation/requiredAuthorizeGetParams'
 import { requiredAuthorizePostParams } from './validation/requiredAuthorizePostParams'
 import { requiredAccessTokenPostParams } from './validation/requiredAccessTokenPostParams'
+import { requiredRefreshTokenPostParams } from './validation/requiredRefreshTokenPostParams'
 import { UserValidation } from './validation/UserValidation'
 import { OptionsSchema } from './validation/OptionsSchema'
 
@@ -451,7 +452,7 @@ const initRoutes = (self, {
     url: accessTokenUrl,
     description: 'step 4 - generate access token response',
     handler: async function (req, res /*, next */) {
-      if (!validateParams(req.body, requiredAccessTokenPostParams, self.debug)) {
+      if (!validateParams(req.body, req.body?.refresh_token ? requiredRefreshTokenPostParams : requiredAccessTokenPostParams, self.debug)) {
         return errorHandler(res, {
           status: 400,
           error: 'invalid_request',

diff --git a/lib/utils/isModelInterface.js b/lib/utils/isModelInterface.js
@@ -10,7 +10,8 @@ const modelNames = [
   'saveAuthorizationCode',
   'saveRefreshToken',
   'saveToken',
-  'getAccessToken'
+  'getAccessToken',
+  'revokeToken'
 ]
 
 /**
@@ -28,6 +29,7 @@ const modelNames = [
  * - 'saveRefreshToken',
  * - 'saveToken',
  * - 'getAccessToken'
+ * - 'revokeToken'
  * @param model {Object} the model implementation
  * @return {boolean} true if valid, otherwise false
  */

diff --git a/lib/validation/requiredRefreshTokenPostParams.js b/lib/validation/requiredRefreshTokenPostParams.js
@@ -0,0 +1,11 @@
+import { Match } from 'meteor/check'
+import { nonEmptyString } from './nonEmptyString'
+
+const isNonEmptyString = Match.Where(nonEmptyString)
+
+export const requiredRefreshTokenPostParams = {
+  grant_type: isNonEmptyString,
+  refresh_token: isNonEmptyString,
+  client_id: Match.Maybe(String),
+  client_secret: Match.Maybe(String)
+}
diff --git a/tests/model-tests.js b/tests/model-tests.js
@@ -221,6 +221,29 @@ describe('model', function () {
     })
   })
 
+  describe('revokeRefreshToken', () => {
+    let model
+
+    beforeEach(function () {
+      model = new OAuthMeteorModel()
+    })
+
+    it('returns true if the refresh token was revoked', async () => {
+      const collection = Mongo.Collection.get(DefaultModelConfig.accessTokensCollectionName)
+      const refreshToken = Random.id()
+      await collection.insertAsync({ refreshToken })
+      const tokenDoc = await model.revokeToken({refreshToken})
+      assert.isTrue(tokenDoc)
+    })
+
+    it('returns false if the refresh token was not found', async () => {
+      const collection = Mongo.Collection.get(DefaultModelConfig.accessTokensCollectionName)
+      const refreshToken = Random.id()
+      const tokenDoc = await model.revokeToken({refreshToken})
+      assert.isFalse(tokenDoc)
+    })
+  })
+
   describe('saveAuthorizationCode', function () {
     it('is not yet implemented')
   })

diff --git a/tests/oauth-tests.js b/tests/oauth-tests.js
@@ -54,7 +54,8 @@ describe('constructor', function () {
       revokeAuthorizationCode: async () => true,
       saveAuthorizationCode: async () => true,
       saveRefreshToken: async () => true,
-      saveToken: async () => true
+      saveToken: async () => true,
+      revokeToken: async () => true
     }
     const server = new OAuth2Server({ model })
     assert.isDefined(server)