Revoke old refresh token when doing a refresh token rotation
See https://auth0.com/blog/securing-single-page-applications-with-refresh-token-rotation/ for details for instance Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
fd28b4d410
commit
15b3940262
@ -31,7 +31,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
|
||||
@doc """
|
||||
Return current logged-in user
|
||||
"""
|
||||
def get_current_user(_parent, _args, %{context: %{current_user: user}}) do
|
||||
def get_current_user(_parent, _args, %{context: %{current_user: %User{} = user}}) do
|
||||
{:ok, user}
|
||||
end
|
||||
|
||||
@ -87,13 +87,13 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
|
||||
@doc """
|
||||
Refresh a token
|
||||
"""
|
||||
def refresh_token(_parent, %{refresh_token: refresh_token}, context) do
|
||||
def refresh_token(_parent, %{refresh_token: refresh_token}, _resolution) do
|
||||
with {:ok, user, _claims} <- Auth.Guardian.resource_from_token(refresh_token),
|
||||
{:ok, _old, {exchanged_token, _claims}} <-
|
||||
Auth.Guardian.exchange(refresh_token, ["access", "refresh"], "access"),
|
||||
{:ok, refresh_token} <- Authenticator.generate_refresh_token(user),
|
||||
{:ok, %User{}} <- update_user_login_information(user, context) do
|
||||
{:ok, %{access_token: exchanged_token, refresh_token: refresh_token}}
|
||||
Auth.Guardian.exchange(refresh_token, "refresh", "access"),
|
||||
{:ok, new_refresh_token} <- Authenticator.generate_refresh_token(user),
|
||||
{:ok, _claims} <- Auth.Guardian.revoke(refresh_token) do
|
||||
{:ok, %{access_token: exchanged_token, refresh_token: new_refresh_token}}
|
||||
else
|
||||
{:error, message} ->
|
||||
Logger.debug("Cannot refresh user token: #{inspect(message)}")
|
||||
|
Loading…
Reference in New Issue
Block a user