From bb0752a72692d03b61f1719dca2a7cdc2b3052cc Mon Sep 17 00:00:00 2001 From: Aaron Parecki Date: Sun, 10 Jun 2018 13:09:40 -0700 Subject: [PATCH] add support for token revocation --- controllers/auth.php | 4 +++- lib/helpers.php | 11 +++++++++++ views/settings.php | 2 +- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/controllers/auth.php b/controllers/auth.php index d90652b..f6d357e 100644 --- a/controllers/auth.php +++ b/controllers/auth.php @@ -278,6 +278,8 @@ $app->get('/signout', function() use($app) { $app->post('/auth/reset', function() use($app) { if($user=require_login($app, false)) { + revoke_micropub_token($user->micropub_access_token, $user->token_endpoint); + $user->authorization_endpoint = ''; $user->token_endpoint = ''; $user->micropub_endpoint = ''; @@ -286,7 +288,7 @@ $app->post('/auth/reset', function() use($app) { $user->micropub_scope = ''; $user->micropub_access_token = ''; $user->save(); - + unset($_SESSION['auth']); unset($_SESSION['me']); unset($_SESSION['auth_state']); diff --git a/lib/helpers.php b/lib/helpers.php index a3d289d..bfcdf63 100644 --- a/lib/helpers.php +++ b/lib/helpers.php @@ -223,6 +223,17 @@ function micropub_get($endpoint, $params, $access_token) { ); } +function revoke_micropub_token($access_token, $token_endpoint) { + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $token_endpoint); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); + curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ + 'action' => 'revoke', + 'token' => $access_token, + ])); + curl_exec($ch); +} + function parse_headers($headers) { $retVal = array(); $fields = explode("\r\n", preg_replace('/\x0D\x0A[\x09\x20]+/', ' ', $headers)); diff --git a/views/settings.php b/views/settings.php index 537418c..6b69bc2 100644 --- a/views/settings.php +++ b/views/settings.php @@ -29,7 +29,7 @@ - Clicking this button will erase the access token Quill has stored for you, forget all cached endpoints, and sign you out. If you sign back in, you will start over and see the debugging screens and scope options again. + Clicking this button will tell your token endpoint to revoke the token, Quill will forget the access token stored, forget all cached endpoints, and sign you out. If you sign back in, you will start over and see the debugging screens and scope options again.