diff options
author | Frederick Muriuki Muriithi | 2023-01-20 07:02:37 +0300 |
---|---|---|
committer | Frederick Muriuki Muriithi | 2023-01-20 11:58:33 +0300 |
commit | 69d7d2e49c7381b9fb757bfcc6d83d59df6442b3 (patch) | |
tree | dbfc1983046f9d56adf58b37af05aa04709d399d /wqflask | |
parent | 63aff5ca22cfb5caaa38ac1d737afa48fc8dbf02 (diff) | |
download | genenetwork2-69d7d2e49c7381b9fb757bfcc6d83d59df6442b3.tar.gz |
oauth2: Revoke token on logout
If a user logs out of the session, and their token is not revoked, if
their token were to leak somehow, then an attacker could use it before
it expired.
Explicit revocation of the token helps avoid that.
Diffstat (limited to 'wqflask')
-rw-r--r-- | wqflask/wqflask/oauth2/routes.py | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/wqflask/wqflask/oauth2/routes.py b/wqflask/wqflask/oauth2/routes.py index 83994284..4ab1f9c6 100644 --- a/wqflask/wqflask/oauth2/routes.py +++ b/wqflask/wqflask/oauth2/routes.py @@ -67,9 +67,16 @@ def login(): @oauth2.route("/logout", methods=["GET", "POST"]) def logout(): - keys = tuple(key for key in session.keys() if not key.startswith("_")) - for key in keys: - session.pop(key, default=None) + if user_logged_in(): + token = session.get("oauth2_token", False) + config = app.config + client = OAuth2Session( + config["OAUTH2_CLIENT_ID"], config["OAUTH2_CLIENT_SECRET"], + scope = "profile resource", token=token) + resp = client.revoke_token(urljoin(config["GN_SERVER_URL"], "oauth2/revoke")) + keys = tuple(key for key in session.keys() if not key.startswith("_")) + for key in keys: + session.pop(key, default=None) return redirect("/") |