Revoke old refresh token when doing a refresh token rotation

See https://auth0.com/blog/securing-single-page-applications-with-refresh-token-rotation/ for details for instance Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2021-05-31 12:08:06 +02:00 · 2021-05-31 12:08:06 +02:00 · 15b3940262
parent fd28b4d410
commit 15b3940262
1 changed files with 6 additions and 6 deletions
--- a/lib/graphql/resolvers/user.ex
+++ b/lib/graphql/resolvers/user.ex
@ -31,7 +31,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
  @doc """
  Return current logged-in user
  """
-  def get_current_user(_parent, _args, %{context: %{current_user: user}}) do
+  def get_current_user(_parent, _args, %{context: %{current_user: %User{} = user}}) do
    {:ok, user}
  end

@ -87,13 +87,13 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
  @doc """
  Refresh a token
  """
-  def refresh_token(_parent, %{refresh_token: refresh_token}, context) do
+  def refresh_token(_parent, %{refresh_token: refresh_token}, _resolution) do
    with {:ok, user, _claims} <- Auth.Guardian.resource_from_token(refresh_token),
         {:ok, _old, {exchanged_token, _claims}} <-
-           Auth.Guardian.exchange(refresh_token, ["access", "refresh"], "access"),
-         {:ok, refresh_token} <- Authenticator.generate_refresh_token(user),
-         {:ok, %User{}} <- update_user_login_information(user, context) do
-      {:ok, %{access_token: exchanged_token, refresh_token: refresh_token}}
+           Auth.Guardian.exchange(refresh_token, "refresh", "access"),
+         {:ok, new_refresh_token} <- Authenticator.generate_refresh_token(user),
+         {:ok, _claims} <- Auth.Guardian.revoke(refresh_token) do
+      {:ok, %{access_token: exchanged_token, refresh_token: new_refresh_token}}
    else
      {:error, message} ->
        Logger.debug("Cannot refresh user token: #{inspect(message)}")