oauth2: Revoke token on logout

If a user logs out of the session, and their token is not revoked, if their token were to leak somehow, then an attacker could use it before it expired. Explicit revocation of the token helps avoid that.
author: Frederick Muriuki Muriithi 2023-01-20 07:02:37 +0300
committer: Frederick Muriuki Muriithi 2023-01-20 11:58:33 +0300
commit: 69d7d2e49c7381b9fb757bfcc6d83d59df6442b3 (patch)
tree: dbfc1983046f9d56adf58b37af05aa04709d399d
parent: 63aff5ca22cfb5caaa38ac1d737afa48fc8dbf02 (diff)
download: genenetwork2-69d7d2e49c7381b9fb757bfcc6d83d59df6442b3.tar.gz
1 files changed, 10 insertions, 3 deletions
diff --git a/wqflask/wqflask/oauth2/routes.py b/wqflask/wqflask/oauth2/routes.py
index 83994284..4ab1f9c6 100644
--- a/wqflask/wqflask/oauth2/routes.py
+++ b/wqflask/wqflask/oauth2/routes.py
@@ -67,9 +67,16 @@ def login():
 
 @oauth2.route("/logout", methods=["GET", "POST"])
 def logout():
-    keys = tuple(key for key in session.keys() if not key.startswith("_"))
-    for key in keys:
-        session.pop(key, default=None)
+    if user_logged_in():
+        token = session.get("oauth2_token", False)
+        config = app.config
+        client = OAuth2Session(
+            config["OAUTH2_CLIENT_ID"], config["OAUTH2_CLIENT_SECRET"],
+            scope = "profile resource", token=token)
+        resp = client.revoke_token(urljoin(config["GN_SERVER_URL"], "oauth2/revoke"))
+        keys = tuple(key for key in session.keys() if not key.startswith("_"))
+        for key in keys:
+            session.pop(key, default=None)
 
     return redirect("/")
author	Frederick Muriuki Muriithi	2023-01-20 07:02:37 +0300
committer	Frederick Muriuki Muriithi	2023-01-20 11:58:33 +0300
commit	69d7d2e49c7381b9fb757bfcc6d83d59df6442b3 (patch)
tree	dbfc1983046f9d56adf58b37af05aa04709d399d
parent	63aff5ca22cfb5caaa38ac1d737afa48fc8dbf02 (diff)
download	genenetwork2-69d7d2e49c7381b9fb757bfcc6d83d59df6442b3.tar.gz