Revoking a token does not work

[lethunder]

Expected behavior
on version 5.0.2 we should be able to revoke token without having application_id

Actual behavior
when i generate a token on public default scope without application and i try to revoke the token it does not work

The reason is this is the code. The private method token in charge of returning the token in params

def token
  @token ||= AccessToken.by_token(request.POST['token']) ||
    AccessToken.by_refresh_token(request.POST['token'])
end

request.POST['token'] returns nil everytime on my app
i overrided it with request.parameters['token'] to make it work

In the image without overriding it doen't work (in red)
in blue with override

System configuration

• windows 10
• ruby 2.3.3p222 (2016-11-21 revision 56859) [i386-mingw32]
• Rails 5.2.1
• doorkeeper 5.0.2

[nbulaj]

Hi @lethunder . Does this token was accesible on time of the first request and client was authorized (I mean does the token was issued to a public client)? As we can see from the screenshot - requests are the same (path, params and so on).

Also don't sure request.POST['token'] or request.parameters['token'] connected with application_id somehow :|

[lethunder]

@nbulaj you are right does not have nothing to do with application_id. i just created token by signing then i tried to revoke it immediatly after signing

[nbulaj]

Doesn't it the same as #1179 ?

Also we have specs for Token revocation, don't sure how request.parameters['token'] can fix described issue..

[lethunder]

not disame. If i don't override token method i keep having 200 response eventhough the token is not updated.
in my case request.POST['token'] does not return the token. request.parameters['token'] does

[nbulaj]

By RFC OAuth2 server must return 200 status in any case (token revoked or not revoked).

request.POST['token'] must work the same as request.parameters['token']. Sorry, but I can't reproduce the bug. Maybe you could create a sample spec or a small application that reproduces the env to see the bug?

[lethunder]

i'm on it. give me 15 minutes

[lethunder]

In the zip file you have a izzi.sql to create DB (postgresql)

link to zip deleted

SIGNIN => POST http://localhost:3000/oauth/token?password=lethunder1014&grant_type=password&phone=0033652861874

SIGNOUT => http://localhost:3000/oauth/revoke?token=TOKEN

[nbulaj]

@lethunder I created db with rails db:create db:schema:load and tried to load izzi.sql, but got multiple errors, most of them related to pgcrypto. Also I think you need to remove the file because it has .git directory that has sensitive data.

It would be great if you could place a RSec sample, because it's hard to reproduce the bug when don't know the full flow..

[lethunder]

doorkeeper_test.zip

sample project with sqlite db and existing user

POST http://localhost:3000/oauth/token?password=user123&grant_type=password&phone=0033652861874

[nbulaj]

Hi @lethunder . I've checked the latest ZIP and seems like we really have a weird bug. I introduced a fix, so it would be great if you can check the master branch and say me if everything is OK

[lethunder]

hi @nbulaj it works fine :)