From 15b3940262aab872cdef4c34227e3759db0b43fe Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Mon, 31 May 2021 12:08:06 +0200 Subject: [PATCH] Revoke old refresh token when doing a refresh token rotation See https://auth0.com/blog/securing-single-page-applications-with-refresh-token-rotation/ for details for instance Signed-off-by: Thomas Citharel --- lib/graphql/resolvers/user.ex | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/graphql/resolvers/user.ex b/lib/graphql/resolvers/user.ex index ddcada5f6..d25cabfaa 100644 --- a/lib/graphql/resolvers/user.ex +++ b/lib/graphql/resolvers/user.ex @@ -31,7 +31,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do @doc """ Return current logged-in user """ - def get_current_user(_parent, _args, %{context: %{current_user: user}}) do + def get_current_user(_parent, _args, %{context: %{current_user: %User{} = user}}) do {:ok, user} end @@ -87,13 +87,13 @@ defmodule Mobilizon.GraphQL.Resolvers.User do @doc """ Refresh a token """ - def refresh_token(_parent, %{refresh_token: refresh_token}, context) do + def refresh_token(_parent, %{refresh_token: refresh_token}, _resolution) do with {:ok, user, _claims} <- Auth.Guardian.resource_from_token(refresh_token), {:ok, _old, {exchanged_token, _claims}} <- - Auth.Guardian.exchange(refresh_token, ["access", "refresh"], "access"), - {:ok, refresh_token} <- Authenticator.generate_refresh_token(user), - {:ok, %User{}} <- update_user_login_information(user, context) do - {:ok, %{access_token: exchanged_token, refresh_token: refresh_token}} + Auth.Guardian.exchange(refresh_token, "refresh", "access"), + {:ok, new_refresh_token} <- Authenticator.generate_refresh_token(user), + {:ok, _claims} <- Auth.Guardian.revoke(refresh_token) do + {:ok, %{access_token: exchanged_token, refresh_token: new_refresh_token}} else {:error, message} -> Logger.debug("Cannot refresh user token: #{inspect(message)}")