[#3112] Allowed revoking same-user token from any apps. Added tests.

2020-11-30 21:55:48 +03:00 · 2020-11-30 21:55:48 +03:00 · d50a3345ae
commit d50a3345ae
parent 50e47a215f
3 changed files with 39 additions and 4 deletions
--- a/lib/pleroma/web/masto_fe_controller.ex
+++ b/lib/pleroma/web/masto_fe_controller.ex
@ -6,8 +6,8 @@ defmodule Pleroma.Web.MastoFEController do
  use Pleroma.Web, :controller

  alias Pleroma.User
-  alias Pleroma.Web.OAuth.Token
  alias Pleroma.Web.MastodonAPI.AuthController
+  alias Pleroma.Web.OAuth.Token
  alias Pleroma.Web.Plugs.EnsurePublicOrAuthenticatedPlug
  alias Pleroma.Web.Plugs.OAuthScopesPlug

--- a/lib/pleroma/web/o_auth/o_auth_controller.ex
+++ b/lib/pleroma/web/o_auth/o_auth_controller.ex
@ -379,9 +379,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do
    render_invalid_credentials_error(conn)
  end

-  def token_revoke(%Plug.Conn{} = conn, %{"token" => _token} = params) do
-    with {:ok, app} <- Token.Utils.fetch_app(conn),
-         {:ok, %Token{} = oauth_token} <- RevokeToken.revoke(app, params) do
+  def token_revoke(%Plug.Conn{} = conn, %{"token" => token}) do
+    with {:ok, %Token{} = oauth_token} <- Token.get_by_token(token),
+         {:ok, oauth_token} <- RevokeToken.revoke(oauth_token) do
      conn =
        with session_token = AuthHelper.get_session_token(conn),
             %Token{token: ^session_token} <- oauth_token do