llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-05-22 18:25:47 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat(introspection): return correct active status for expired or revoked tokens (#3716)

Browse Source
This commit is contained in:
Gabriel Brecci 2025-04-08 15:00:30 -03:00 committed by GitHub
parent c11f013e04
commit 77ef5828dd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
controllers/token.go
View File

@ -321,6 +321,11 @@ func (c *ApiController) IntrospectToken() {
return return
} }
respondWithInactiveToken := func() {
c.Data["json"] = &object.IntrospectionResponse{Active: false}
c.ServeJSON()
}
tokenTypeHint := c.Input().Get("token_type_hint") tokenTypeHint := c.Input().Get("token_type_hint")
var token *object.Token var token *object.Token
if tokenTypeHint != "" { if tokenTypeHint != "" {
@ -329,9 +334,8 @@ func (c *ApiController) IntrospectToken() {
c.ResponseTokenError(err.Error()) c.ResponseTokenError(err.Error())
return return
} }
if token == nil { if token == nil || token.ExpiresIn <= 0 {
c.Data["json"] = &object.IntrospectionResponse{Active: false} respondWithInactiveToken()
c.ServeJSON()
return return
} }
@ -350,8 +354,7 @@ func (c *ApiController) IntrospectToken() {
// and token revoked case. but we not implement // and token revoked case. but we not implement
// TODO: 2022-03-03 add token revoked check, when we implemented the Token Revocation(rfc7009) Specs. // TODO: 2022-03-03 add token revoked check, when we implemented the Token Revocation(rfc7009) Specs.
// refs: https://tools.ietf.org/html/rfc7009 // refs: https://tools.ietf.org/html/rfc7009
c.Data["json"] = &object.IntrospectionResponse{Active: false} respondWithInactiveToken()
c.ServeJSON()
return return
} }
@ -375,8 +378,7 @@ func (c *ApiController) IntrospectToken() {
// and token revoked case. but we not implement // and token revoked case. but we not implement
// TODO: 2022-03-03 add token revoked check, when we implemented the Token Revocation(rfc7009) Specs. // TODO: 2022-03-03 add token revoked check, when we implemented the Token Revocation(rfc7009) Specs.
// refs: https://tools.ietf.org/html/rfc7009 // refs: https://tools.ietf.org/html/rfc7009
c.Data["json"] = &object.IntrospectionResponse{Active: false} respondWithInactiveToken()
c.ServeJSON()
return return
} }
@ -402,13 +404,15 @@ func (c *ApiController) IntrospectToken() {
c.ResponseTokenError(err.Error()) c.ResponseTokenError(err.Error())
return return
} }
if token == nil { if token == nil || token.ExpiresIn <= 0 {
c.Data["json"] = &object.IntrospectionResponse{Active: false} respondWithInactiveToken()
c.ServeJSON()
return return
} }
} }
introspectionResponse.TokenType = token.TokenType
if token != nil {
introspectionResponse.TokenType = token.TokenType
}
c.Data["json"] = introspectionResponse c.Data["json"] = introspectionResponse
c.ServeJSON() c.ServeJSON()