Check whether a refresh token has been used before

Check whether a refresh token has been used before using it to
generate a new JWT token.

If the refresh token has been used previously, it should be revoked,
and an error raised.

As of this commit the actual revocation process hasn't been implemented.

1 files changed, 17 insertions, 3 deletions

diff --git a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py
index 04908bc..e178c27 100644
--- a/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py
+++ b/gn_auth/auth/authentication/oauth2/models/jwtrefreshtoken.py
@@ -125,12 +125,26 @@ def link_child_token(conn: db.DbConnection, parenttoken: str, childtoken: str):
                  "WHERE token=:parenttoken"),
                 {"parenttoken": parent.token, "childtoken": childtoken})
 
-    def __raise_error__(_error_msg_):
+    def __check_child__(parent):
+        with db.cursor(conn) as cursor:
+            cursor.execute(
+                ("SELECT * FROM jwt_refresh_tokens WHERE token=:parenttoken"),
+                {"parenttoken": parent.token})
+            results = cursor.fetchone()
+            if results["parent_of"] is not None:
+                return Left(
+                    "Refresh token has been used before. Possibly nefarious "
+                    "activity detected.")
+            return Right(parent)
+
+    def __revoke_and_raise_error__(_error_msg_):
+        revoke_refresh_token(conn, parenttoken)
         raise InvalidGrantError(_error_msg_)
 
     load_refresh_token(conn, parenttoken).maybe(
-        Left("Token not found"), Right).either(
-            __raise_error__, __link_to_child__)
+        Left("Token not found"), Right).then(
+            __check_child__).either(__revoke_and_raise_error__,
+                                    __link_to_child__)
 
 
 def is_refresh_token_valid(token: JWTRefreshToken, client: OAuth2Client) -> bool: