From 69d7d2e49c7381b9fb757bfcc6d83d59df6442b3 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Fri, 20 Jan 2023 07:02:37 +0300
Subject: oauth2: Revoke token on logout

If a user logs out of the session, and their token is not revoked, if
their token were to leak somehow, then an attacker could use it before
it expired.

Explicit revocation of the token helps avoid that.
---
 wqflask/wqflask/oauth2/routes.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/wqflask/wqflask/oauth2/routes.py b/wqflask/wqflask/oauth2/routes.py
index 83994284..4ab1f9c6 100644
--- a/wqflask/wqflask/oauth2/routes.py
+++ b/wqflask/wqflask/oauth2/routes.py
@@ -67,9 +67,16 @@ def login():
 
 @oauth2.route("/logout", methods=["GET", "POST"])
 def logout():
-    keys = tuple(key for key in session.keys() if not key.startswith("_"))
-    for key in keys:
-        session.pop(key, default=None)
+    if user_logged_in():
+        token = session.get("oauth2_token", False)
+        config = app.config
+        client = OAuth2Session(
+            config["OAUTH2_CLIENT_ID"], config["OAUTH2_CLIENT_SECRET"],
+            scope = "profile resource", token=token)
+        resp = client.revoke_token(urljoin(config["GN_SERVER_URL"], "oauth2/revoke"))
+        keys = tuple(key for key in session.keys() if not key.startswith("_"))
+        for key in keys:
+            session.pop(key, default=None)
 
     return redirect("/")
 
-- 
cgit v1.2.3