Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d0b1c36

Browse files
sreyasreya
authored
fix: prevent refreshing tokens that don't exist (coder#4661)
- When logging in with Google OIDC refresh tokens are not provided unless explicitly asked for. This PR updates the logic to avoid attempting to refresh the token if a refresh token does not exist. A session should only be dependent on a valid Coder API key, the state of its OAuth token (beyond initial authentication) should be irrelevant.
1 parent 49787a4 commit d0b1c36

File tree

2 files changed

+5
-4
lines changed

2 files changed

+5
-4
lines changed

coderd/httpmw/apikey.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -203,7 +203,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
203203
return
204204
}
205205
// Check if the OAuth token is expired
206-
if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() {
206+
if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() && link.OAuthRefreshToken != "" {
207207
var oauthConfig OAuth2Config
208208
switch key.LoginType {
209209
case database.LoginTypeGithub:

coderd/httpmw/apikey_test.go

+4-3
Original file line numberDiff line numberDiff line change
@@ -468,9 +468,10 @@ func TestAPIKey(t *testing.T) {
468468
})
469469
require.NoError(t, err)
470470
_, err = db.InsertUserLink(r.Context(), database.InsertUserLinkParams{
471-
UserID: user.ID,
472-
LoginType: database.LoginTypeGithub,
473-
OAuthExpiry: database.Now().AddDate(0, 0, -1),
471+
UserID: user.ID,
472+
LoginType: database.LoginTypeGithub,
473+
OAuthExpiry: database.Now().AddDate(0, 0, -1),
474+
OAuthRefreshToken: "hello",
474475
})
475476
require.NoError(t, err)
476477

0 commit comments

Comments
 (0)