Commit 38d0de20 authored by Eric Chiang's avatar Eric Chiang Committed by GitHub

Merge pull request #1056 from ericchiang/fix-api-panic

server: fix panic caused by deleting refresh token twice through api
parents e10fddee f234e370
......@@ -266,12 +266,20 @@ func (d dexAPI) RevokeRefresh(ctx context.Context, req *api.RevokeRefreshReq) (*
return nil, err
}
var refreshID string
var (
refreshID string
notFound bool
)
updater := func(old storage.OfflineSessions) (storage.OfflineSessions, error) {
if refreshID = old.Refresh[req.ClientId].ID; refreshID == "" {
return old, fmt.Errorf("user does not have a refresh token for the client = %s", req.ClientId)
refreshRef := old.Refresh[req.ClientId]
if refreshRef == nil || refreshRef.ID == "" {
d.logger.Errorf("api: refresh token issued to client %q for user %q not found for deletion", req.ClientId, id.UserId)
notFound = true
return old, storage.ErrNotFound
}
refreshID = refreshRef.ID
// Remove entry from Refresh list of the OfflineSession object.
delete(old.Refresh, req.ClientId)
......@@ -286,7 +294,14 @@ func (d dexAPI) RevokeRefresh(ctx context.Context, req *api.RevokeRefreshReq) (*
return nil, err
}
if notFound {
return &api.RevokeRefreshResp{NotFound: true}, nil
}
// Delete the refresh token from the storage
//
// TODO(ericchiang): we don't have any good recourse if this call fails.
// Consider garbage collection of refresh tokens with no associated ref.
if err := d.s.DeleteRefresh(refreshID); err != nil {
d.logger.Errorf("failed to delete refresh token: %v", err)
return nil, err
......
......@@ -267,9 +267,23 @@ func TestRefreshToken(t *testing.T) {
}
resp, err := client.RevokeRefresh(ctx, &revokeReq)
if err != nil || resp.NotFound {
if err != nil {
t.Fatalf("Unable to revoke refresh tokens for user: %v", err)
}
if resp.NotFound {
t.Errorf("refresh token session wasn't found")
}
// Try to delete again.
//
// See https://github.com/coreos/dex/issues/1055
resp, err = client.RevokeRefresh(ctx, &revokeReq)
if err != nil {
t.Fatalf("Unable to revoke refresh tokens for user: %v", err)
}
if !resp.NotFound {
t.Errorf("refresh token session was found")
}
if resp, _ := client.ListRefresh(ctx, &listReq); len(resp.RefreshTokens) != 0 {
t.Fatalf("Refresh token returned inspite of revoking it.")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment