Fix: only include valid or refreshable access token in find_active_ac…

…cess_token (#289)
zaikio · Aug 3, 2022 · 4dd86fe · 4dd86fe
1 parent bc94993
commit 4dd86fe
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+* Fix: only include valid or refreshable access token in `find_active_access_token`
+
 ## 0.19.2 - 2022-08-03
 
 * Fix `logged_in_as` to return access token ID

diff --git a/lib/zaikio/oauth_client.rb b/lib/zaikio/oauth_client.rb
@@ -80,15 +80,17 @@ def get_access_token(bearer_id:, client_name: nil, bearer_type: "Person", scopes
 
       # This method can be used to find an active access token by id.
       # It might refresh the access token to get an active one.
-      def find_active_access_token(id)
+      def find_active_access_token(id, valid_for: 30.seconds)
         return unless id
 
         if Rails.env.test?
           access_token = TestHelper.find_active_access_token(id)
           return access_token if access_token
         end
 
-        access_token = Zaikio::AccessToken.find_by(id: id)
+        access_token = Zaikio::AccessToken.valid(valid_for.from_now).or(
+          Zaikio::AccessToken.valid_refresh(valid_for.from_now)
+        ).find_by(id: id)
         access_token = access_token.refresh! if access_token&.expired?
 
         access_token

diff --git a/test/zaikio/oauth_client_test.rb b/test/zaikio/oauth_client_test.rb
@@ -460,4 +460,20 @@ def setup
     assert_equal "refreshed", refreshed_token.token
     assert_equal "refresh_of_refreshed", refreshed_token.refresh_token
   end
+
+  test "#find_active_user does not return invalid tokens" do
+    access_token = Zaikio::AccessToken.create!(
+      bearer_type: "Organization",
+      bearer_id: "123",
+      audience: "warehouse",
+      token: "abc",
+      refresh_token: "def",
+      expires_at: 1.hour.ago,
+      scopes: %w[directory.organization.r directory.something.r],
+      requested_scopes: %w[directory.organization.r directory.something.r]
+    )
+    Zaikio::JWTAuth.stubs(:revoked_token_ids).returns([access_token.id])
+
+    assert_nil Zaikio::OAuthClient.find_active_access_token(access_token.id)
+  end
 end