From d50a3345ae7873f8a8744eba8a3eb755e2b8dfdc Mon Sep 17 00:00:00 2001
From: Ivan Tashkinov <ivantashkinov@gmail.com>
Date: Mon, 30 Nov 2020 21:55:48 +0300
Subject: [PATCH] [#3112] Allowed revoking same-user token from any apps. Added
 tests.

---
 lib/pleroma/web/masto_fe_controller.ex        |  2 +-
 lib/pleroma/web/o_auth/o_auth_controller.ex   |  6 ++--
 .../web/o_auth/o_auth_controller_test.exs     | 35 +++++++++++++++++++
 3 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/lib/pleroma/web/masto_fe_controller.ex b/lib/pleroma/web/masto_fe_controller.ex
index 7011ae214..20279ff45 100644
--- a/lib/pleroma/web/masto_fe_controller.ex
+++ b/lib/pleroma/web/masto_fe_controller.ex
@@ -6,8 +6,8 @@ defmodule Pleroma.Web.MastoFEController do
   use Pleroma.Web, :controller
 
   alias Pleroma.User
-  alias Pleroma.Web.OAuth.Token
   alias Pleroma.Web.MastodonAPI.AuthController
+  alias Pleroma.Web.OAuth.Token
   alias Pleroma.Web.Plugs.EnsurePublicOrAuthenticatedPlug
   alias Pleroma.Web.Plugs.OAuthScopesPlug
 
diff --git a/lib/pleroma/web/o_auth/o_auth_controller.ex b/lib/pleroma/web/o_auth/o_auth_controller.ex
index 965c0f879..6e3c7e1a1 100644
--- a/lib/pleroma/web/o_auth/o_auth_controller.ex
+++ b/lib/pleroma/web/o_auth/o_auth_controller.ex
@@ -379,9 +379,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do
     render_invalid_credentials_error(conn)
   end
 
-  def token_revoke(%Plug.Conn{} = conn, %{"token" => _token} = params) do
-    with {:ok, app} <- Token.Utils.fetch_app(conn),
-         {:ok, %Token{} = oauth_token} <- RevokeToken.revoke(app, params) do
+  def token_revoke(%Plug.Conn{} = conn, %{"token" => token}) do
+    with {:ok, %Token{} = oauth_token} <- Token.get_by_token(token),
+         {:ok, oauth_token} <- RevokeToken.revoke(oauth_token) do
       conn =
         with session_token = AuthHelper.get_session_token(conn),
              %Token{token: ^session_token} <- oauth_token do
diff --git a/test/pleroma/web/o_auth/o_auth_controller_test.exs b/test/pleroma/web/o_auth/o_auth_controller_test.exs
index b7fe5785f..3221af223 100644
--- a/test/pleroma/web/o_auth/o_auth_controller_test.exs
+++ b/test/pleroma/web/o_auth/o_auth_controller_test.exs
@@ -1257,6 +1257,41 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
   end
 
   describe "POST /oauth/revoke" do
+    test "when authenticated with request token, revokes it and clears it from session" do
+      oauth_token = insert(:oauth_token)
+
+      conn =
+        build_conn()
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session()
+        |> AuthHelper.put_session_token(oauth_token.token)
+        |> post("/oauth/revoke", %{"token" => oauth_token.token})
+
+      assert json_response(conn, 200)
+
+      refute AuthHelper.get_session_token(conn)
+      assert Token.get_by_token(oauth_token.token) == {:error, :not_found}
+    end
+
+    test "if request is authenticated with a different token, " <>
+           "revokes requested token but keeps session token" do
+      user = insert(:user)
+      oauth_token = insert(:oauth_token, user: user)
+      other_app_oauth_token = insert(:oauth_token, user: user)
+
+      conn =
+        build_conn()
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session()
+        |> AuthHelper.put_session_token(oauth_token.token)
+        |> post("/oauth/revoke", %{"token" => other_app_oauth_token.token})
+
+      assert json_response(conn, 200)
+
+      assert AuthHelper.get_session_token(conn) == oauth_token.token
+      assert Token.get_by_token(other_app_oauth_token.token) == {:error, :not_found}
+    end
+
     test "returns 500 on bad request" do
       response =
         build_conn()