Cannot reduce scope on refresh token
Syafiqq opened this issue · 4 comments
Syafiqq commented
While I try to refresh token with a reduced scope, the generated token still produced the same scope as the old one.
Step to reproduce
- You can review this test
- You can compare Lumen-Passport with Laravel-Passport. Just
clone
it, configure.env
, runcmds/recreate-db.sh
. and run the test. - Here the example test result using lumen. all test passed when using laravel with passport.
dusterio commented
@Syafiqq I think it's a known "feature" of Laravel Passport. If the same user/subject had access tokens before - the new access token will have the same scopes. Therefore, when changing privileges/scopes for a user, you have to purge old tokens from the database
Syafiqq commented
Oh, I never thought of that. Thank you for the explanation.
Syafiqq commented
Just curious, how to do that?
Syafiqq commented
Oh, I just figure it out that lumen test needs to call $this->refreshApplication();
in order to differentiate between requests. If I don't call that function, the incoming request always holds the previous request parameter.