deepcrayon
/
lila
1
0
Fork 0
Code Releases Activity

immediately clear token cache on deletion 

reported by https://hackerone.com/jtcsec
pull/7427/head
Thibault Duplessis 2020-10-05 10:36:24 +02:00
parent 2ac066ae74
commit 9717b8215b
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/controllers/OAuthToken.scala
View File

@ -1,8 +1,9 @@
package controllers
import views._
import lila.app._
import lila.oauth.AccessToken
import views._
final class OAuthToken(env: Env) extends LilaController(env) {
@ -40,7 +41,9 @@ final class OAuthToken(env: Env) extends LilaController(env) {
def delete(id: String) =
Auth { _ => me =>
tokenApi.deleteBy(AccessToken.Id(id), me) inject
val tokenId = AccessToken.Id(id)
tokenApi.deleteBy(tokenId, me) >>-
env.oAuth.server.deleteCached(tokenId) inject
Redirect(routes.OAuthToken.index()).flashSuccess
}
}

5
modules/oauth/src/main/OAuthServer.scala
View File

@ -58,13 +58,16 @@ final class OAuthServer(
user2 <- auth2
} yield (user1.user, user2.user)
def deleteCached(id: AccessToken.Id): Unit =
accessTokenCache.put(id, fuccess(none))
private def reqToTokenId(req: RequestHeader): Option[AccessToken.Id] =
req.headers.get(AUTHORIZATION).map(_.split(" ", 2)) collect { case Array("Bearer", tokenStr) =>
AccessToken.Id(tokenStr)
}
private val accessTokenCache =
cacheApi[AccessToken.Id, Option[AccessToken.ForAuth]](16, "oauth.server.personal_access_token") {
cacheApi[AccessToken.Id, Option[AccessToken.ForAuth]](32, "oauth.server.personal_access_token") {
_.expireAfterWrite(5 minutes)
.buildAsyncFuture(fetchAccessToken)
}