Unit tests for token revocation

2020-08-25 11:39:06 +02:00 · 2020-08-25 11:39:06 +02:00 · 56448cbf19
commit 56448cbf19
parent 3ebddf4817
3 changed files with 8 additions and 6 deletions
--- a/tests/test_authorization_code_flow.py
+++ b/tests/test_authorization_code_flow.py
@ -138,8 +138,9 @@ def test_refresh_token(testclient, slapd_connection, logged_user, client):
    )
    assert 200 == res.status_code
    access_token = res.json["access_token"]
-    token = Token.get(access_token, conn=slapd_connection)
-    assert token is not None
+    old_token = Token.get(access_token, conn=slapd_connection)
+    assert old_token is not None
+    assert not old_token.revoked

    res = testclient.post(
        "/oauth/token",
@ -150,8 +151,10 @@ def test_refresh_token(testclient, slapd_connection, logged_user, client):
    )
    assert 200 == res.status_code
    access_token = res.json["access_token"]
-    token = Token.get(access_token, conn=slapd_connection)
-    assert token is not None
+    new_token = Token.get(access_token, conn=slapd_connection)
+    assert new_token is not None
+    old_token.reload(slapd_connection)
+    assert old_token.revoked

    res = testclient.get("/api/me", headers={"Authorization": f"Bearer {access_token}"})
    assert 200 == res.status_code
--- a/web/models.py
+++ b/web/models.py
@ -1,5 +1,4 @@
 import ldap
-import time
 import datetime
 from authlib.common.encoding import json_loads, json_dumps
 from authlib.oauth2.rfc6749 import (
--- a/web/oauth2utils.py
+++ b/web/oauth2utils.py
@ -135,7 +135,7 @@ class RefreshTokenGrant(_RefreshTokenGrant):
        return User.get(credential.oauthSubject)

    def revoke_old_credential(self, credential):
-        credential.revoke = True
+        credential.revoked = True
        credential.save()