revoke-handler: revoke accessToken

- revoke accessToken implementation
- The token being revoked must belong to the requesting client
- invalid tokens do not cause an error response

Author: visvk

lib/handlers/revoke-handler.js

@@ -6,6 +6,7 @@
 
 var InvalidArgumentError = require('../errors/invalid-argument-error');
 var InvalidClientError = require('../errors/invalid-client-error');
+var InvalidTokenError = require('../errors/invalid-token-error');
 var InvalidRequestError = require('../errors/invalid-request-error');
 var OAuthError = require('../errors/oauth-error');
 var Promise = require('bluebird');
@@ -34,6 +35,10 @@ function RevokeHandler(options) {
     throw new InvalidArgumentError('Invalid argument: model does not implement `getRefreshToken()`');
   }
 
+  if (!options.model.getAccessToken) {
+    throw new InvalidArgumentError('Invalid argument: model does not implement `getAccessToken()`');
+  }
+
   if (!options.model.revokeToken) {
     throw new InvalidArgumentError('Invalid argument: model does not implement `revokeToken()`');
   }
@@ -66,40 +71,57 @@ RevokeHandler.prototype.handle = function(request, response) {
     .then(function() {
       return this.getClient(request, response);
     })
-    .then(function(client){
+    .then(function(client) {
       return this.handleRevokeToken(request, client);
     })
-    .then(function(){
+    .catch(function(e) {
+      if (!(e instanceof OAuthError)) {
+        e = new ServerError(e);
+      }
       /**
        * All necessary information is conveyed in the response code.
        *
-       * @see https://tools.ietf.org/html/rfc7009#section-2.1
+       * Note: invalid tokens do not cause an error response since the client
+       * cannot handle such an error in a reasonable way.  Moreover, the
+       * purpose of the revocation request, invalidating the particular token,
+       * is already achieved.
+       * @see https://tools.ietf.org/html/rfc7009#section-2.2
        */
-      return {};
-    })
-    .catch(function(e) {
-      if (!(e instanceof OAuthError)) {
-        e = new ServerError(e);
+      if (!(e instanceof InvalidTokenError)) {
+        this.updateErrorResponse(response, e);
       }
 
-      this.updateErrorResponse(response, e);
-
       throw e;
     });
 };
 
 /**
- * Handle revoke token
+ * Revoke a refresh or access token.
+ *
+ * Handle the revoking of refresh tokens, and access tokens if supported / desirable
+ * RFC7009 specifies that "If the server is unable to locate the token using
+ * the given hint, it MUST extend its search across all of its supported token types"
  */
 
 RevokeHandler.prototype.handleRevokeToken = function(request, client) {
   return Promise.bind(this)
     .then(function() {
       return this.getTokenFromRequest(request);
-    }).then(function (token){
-      return this.getRefreshToken(token, client);
-    }).tap(function (token) {
-      return this.revokeToken(token);
+    })
+    .then(function(token) {
+      return Promise.any([
+          this.getAccessToken(token, client),
+          this.getRefreshToken(token, client)
+        ])
+        .catch(Promise.AggregateError, function(err) {
+          err.forEach(function(e) {
+            throw e;
+          });
+        })
+        .bind(this)
+        .tap(function(token) {
+          return this.revokeToken(token);
+        });
     });
 };
 
@@ -196,17 +218,15 @@ RevokeHandler.prototype.getTokenFromRequest = function(request) {
   return bodyToken;
 };
 
-
 /**
  * Get refresh token.
  */
 
 RevokeHandler.prototype.getRefreshToken = function(token, client) {
-
   return Promise.try(this.model.getRefreshToken, token)
     .then(function(token) {
       if (!token) {
-        throw new InvalidRequestError('Invalid request: refresh token is invalid');
+        throw new InvalidTokenError('Invalid token: refresh token is invalid');
       }
 
       if (!token.client) {
@@ -218,31 +238,67 @@ RevokeHandler.prototype.getRefreshToken = function(token, client) {
       }
 
       if (token.client.id !== client.id) {
-        throw new InvalidRequestError('Invalid request: refresh token is invalid');
+        throw new InvalidTokenError('Invalid token: refresh token client is invalid');
       }
 
       if (token.refreshTokenExpiresAt && !(token.refreshTokenExpiresAt instanceof Date)) {
         throw new ServerError('Server error: `refreshTokenExpiresAt` must be a Date instance');
       }
 
       if (token.refreshTokenExpiresAt && token.refreshTokenExpiresAt < new Date()) {
-        throw new InvalidRequestError('Invalid request: refresh token has expired');
+        throw new InvalidTokenError('Invalid token: refresh token has expired');
       }
 
       return token;
     });
 };
 
 /**
- * Revoke the refresh token.
+ * Get the access token from the model.
+ */
+
+RevokeHandler.prototype.getAccessToken = function(token, client) {
+  return Promise.try(this.model.getAccessToken, token)
+    .then(function(accessToken) {
+      if (!accessToken) {
+        throw new InvalidTokenError('Invalid token: access token is invalid');
+      }
+
+      if (!accessToken.client) {
+        throw new ServerError('Server error: `getAccessToken()` did not return a `client` object');
+      }
+
+      if (!accessToken.user) {
+        throw new ServerError('Server error: `getAccessToken()` did not return a `user` object');
+      }
+
+      if (accessToken.client.id !== client.id) {
+        throw new InvalidTokenError('Invalid token: access token is invalid');
+      }
+
+      if (accessToken.accessTokenExpiresAt && !(accessToken.accessTokenExpiresAt instanceof Date)) {
+        throw new ServerError('Server error: `expires` must be a Date instance');
+      }
+
+      if (accessToken.accessTokenExpiresAt && accessToken.accessTokenExpiresAt < new Date()) {
+        throw new InvalidTokenError('Invalid token: access token has expired.');
+      }
+
+      return accessToken;
+    });
+};
+
+/**
+ * Revoke the token.
  *
+ * @see https://tools.ietf.org/html/rfc6749#section-6
  */
 
 RevokeHandler.prototype.revokeToken = function(token) {
   return Promise.try(this.model.revokeToken, token)
-    .then(function(status) {
-      if (!status) {
-        throw new InvalidRequestError('Invalid request: refresh token is invalid');
+    .then(function(token) {
+      if (!token) {
+        throw new InvalidTokenError('Invalid token: token is invalid');
       }
 
       return token;