aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2023-01-20 07:02:37 +0300
committerFrederick Muriuki Muriithi2023-01-20 11:58:33 +0300
commit69d7d2e49c7381b9fb757bfcc6d83d59df6442b3 (patch)
treedbfc1983046f9d56adf58b37af05aa04709d399d
parent63aff5ca22cfb5caaa38ac1d737afa48fc8dbf02 (diff)
downloadgenenetwork2-69d7d2e49c7381b9fb757bfcc6d83d59df6442b3.tar.gz
oauth2: Revoke token on logout
If a user logs out of the session, and their token is not revoked, if their token were to leak somehow, then an attacker could use it before it expired. Explicit revocation of the token helps avoid that.
-rw-r--r--wqflask/wqflask/oauth2/routes.py13
1 files changed, 10 insertions, 3 deletions
diff --git a/wqflask/wqflask/oauth2/routes.py b/wqflask/wqflask/oauth2/routes.py
index 83994284..4ab1f9c6 100644
--- a/wqflask/wqflask/oauth2/routes.py
+++ b/wqflask/wqflask/oauth2/routes.py
@@ -67,9 +67,16 @@ def login():
@oauth2.route("/logout", methods=["GET", "POST"])
def logout():
- keys = tuple(key for key in session.keys() if not key.startswith("_"))
- for key in keys:
- session.pop(key, default=None)
+ if user_logged_in():
+ token = session.get("oauth2_token", False)
+ config = app.config
+ client = OAuth2Session(
+ config["OAUTH2_CLIENT_ID"], config["OAUTH2_CLIENT_SECRET"],
+ scope = "profile resource", token=token)
+ resp = client.revoke_token(urljoin(config["GN_SERVER_URL"], "oauth2/revoke"))
+ keys = tuple(key for key in session.keys() if not key.startswith("_"))
+ for key in keys:
+ session.pop(key, default=None)
return redirect("/")