Merge pull request #1186 from laravel/revoke-refresh-tokens

[8.x] Revoke refresh tokens as well

Author: taylorotwell

src/Http/Controllers/AuthorizedAccessTokenController.php

@@ -4,6 +4,7 @@
 
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
+use Laravel\Passport\RefreshTokenRepository;
 use Laravel\Passport\TokenRepository;
 
 class AuthorizedAccessTokenController
@@ -15,15 +16,24 @@ class AuthorizedAccessTokenController
      */
     protected $tokenRepository;
 
+    /**
+     * The refresh token repository implementation.
+     *
+     * @var \Laravel\Passport\RefreshTokenRepository
+     */
+    protected $refreshTokenRepository;
+
     /**
      * Create a new controller instance.
      *
      * @param  \Laravel\Passport\TokenRepository  $tokenRepository
+     * @param  \Laravel\Passport\RefreshTokenRepository  $refreshTokenRepository
      * @return void
      */
-    public function __construct(TokenRepository $tokenRepository)
+    public function __construct(TokenRepository $tokenRepository, RefreshTokenRepository $refreshTokenRepository)
     {
         $this->tokenRepository = $tokenRepository;
+        $this->refreshTokenRepository = $refreshTokenRepository;
     }
 
     /**
@@ -60,6 +70,8 @@ public function destroy(Request $request, $tokenId)
 
         $token->revoke();
 
+        $this->refreshTokenRepository->revokeRefreshTokensByAccessTokenId($tokenId);
+
         return new Response('', Response::HTTP_NO_CONTENT);
     }
 }

src/RefreshTokenRepository.php

@@ -48,6 +48,17 @@ public function revokeRefreshToken($id)
         return Passport::refreshToken()->where('id', $id)->update(['revoked' => true]);
     }
 
+    /**
+     * Revokes refresh tokens by access token id.
+     *
+     * @param  string  $tokenId
+     * @return void
+     */
+    public function revokeRefreshTokensByAccessTokenId($tokenId)
+    {
+        Passport::refreshToken()->where('access_token_id', $tokenId)->update(['revoked' => true]);
+    }
+
     /**
      * Checks if the refresh token has been revoked.
      *

tests/AuthorizedAccessTokenControllerTest.php

@@ -5,6 +5,7 @@
 use Illuminate\Http\Request;
 use Laravel\Passport\Client;
 use Laravel\Passport\Http\Controllers\AuthorizedAccessTokenController;
+use Laravel\Passport\RefreshTokenRepository;
 use Laravel\Passport\Token;
 use Laravel\Passport\TokenRepository;
 use Mockery as m;
@@ -18,6 +19,11 @@ class AuthorizedAccessTokenControllerTest extends TestCase
      */
     protected $tokenRepository;
 
+    /**
+     * @var \Mockery\Mock|\Laravel\Passport\RefreshTokenRepository
+     */
+    protected $refreshTokenRepository;
+
     /**
      * @var AuthorizedAccessTokenController
      */
@@ -26,7 +32,8 @@ class AuthorizedAccessTokenControllerTest extends TestCase
     protected function setUp(): void
     {
         $this->tokenRepository = m::mock(TokenRepository::class);
-        $this->controller = new AuthorizedAccessTokenController($this->tokenRepository);
+        $this->refreshTokenRepository = m::mock(RefreshTokenRepository::class);
+        $this->controller = new AuthorizedAccessTokenController($this->tokenRepository, $this->refreshTokenRepository);
     }
 
     protected function tearDown(): void
@@ -78,6 +85,7 @@ public function test_tokens_can_be_deleted()
         $token1->shouldReceive('revoke')->once();
 
         $this->tokenRepository->shouldReceive('findForUser')->andReturn($token1);
+        $this->refreshTokenRepository->shouldReceive('revokeRefreshTokensByAccessTokenId')->once();
 
         $request->setUserResolver(function () {
             $user = m::mock();