Revoke token on wrong auth

Question

Revoke token on wrong auth

ivan1986 opened this issue 9 years ago · 4 comments

ivan1986 commented 9 years ago

if login on email have not access can not relogin on other
if add in -- If no whitelist or blacklist, match on domain

https.request("https://accounts.google.com/o/oauth2/revoke","token="..access_token)

before return 401
all ok

maybe add option?

Answer 1 · 2015-07-22T11:55:11.000Z

  -- If no whitelist or blacklist, match on domain
  if not whitelist and not blacklist and domain then
    if oauth_domain ~= domain then
      if debug then
        ngx.log(ngx.ERR, "DEBUG: "..email.." not in "..domain)
      end

      https.request("https://accounts.google.com/o/oauth2/revoke","token="..access_token)

      return ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
  end

  if whitelist then
    if not string.find(" " .. whitelist .. " ", " " .. email .. " ") then
      if debug then
        ngx.log(ngx.ERR, "DEBUG: "..email.." not in whitelist")
      end

      https.request("https://accounts.google.com/o/oauth2/revoke","token="..access_token)

      return ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
  end

  if blacklist then
    if string.find(" " .. blacklist .. " ", " " .. email .. " ") then
      if debug then
        ngx.log(ngx.ERR, "DEBUG: "..email.." in blacklist")
      end

      https.request("https://accounts.google.com/o/oauth2/revoke","token="..access_token)

      return ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
  end

Answer 2 · 2015-07-27T18:28:57.000Z

That sounds reasonable. Can you put that into a PR?

Answer 3 · 2016-10-03T18:44:03.000Z

@awestendorf hmmm
ping?

Answer 4 · 2016-10-05T15:43:19.000Z

Apologies, I forgot all about this. I'll try to test it soon.