Revoke token on wrong auth
ivan1986 opened this issue · 4 comments
ivan1986 commented
if login on email have not access can not relogin on other
if add in -- If no whitelist or blacklist, match on domain
https.request("https://accounts.google.com/o/oauth2/revoke","token="..access_token)
before return 401
all ok
maybe add option?
ivan1986 commented
-- If no whitelist or blacklist, match on domain
if not whitelist and not blacklist and domain then
if oauth_domain ~= domain then
if debug then
ngx.log(ngx.ERR, "DEBUG: "..email.." not in "..domain)
end
https.request("https://accounts.google.com/o/oauth2/revoke","token="..access_token)
return ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
end
if whitelist then
if not string.find(" " .. whitelist .. " ", " " .. email .. " ") then
if debug then
ngx.log(ngx.ERR, "DEBUG: "..email.." not in whitelist")
end
https.request("https://accounts.google.com/o/oauth2/revoke","token="..access_token)
return ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
end
if blacklist then
if string.find(" " .. blacklist .. " ", " " .. email .. " ") then
if debug then
ngx.log(ngx.ERR, "DEBUG: "..email.." in blacklist")
end
https.request("https://accounts.google.com/o/oauth2/revoke","token="..access_token)
return ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
end
awestendorf commented
That sounds reasonable. Can you put that into a PR?
ivan1986 commented
@awestendorf hmmm
ping?
awestendorf commented
Apologies, I forgot all about this. I'll try to test it soon.