Skip to content

Fix OAuth2 token lingering after revocation

Currently if OAuth2 token is revoked (on BE or via API), unaware pleroma FE clients will retain it until new authentication is performed. Lingering token could prevent users from calling some APIs such as account registration.

To reproduce:

  1. Sign into existing account from two browser sessions
  2. Revoke token of the other browser session
  3. From the browser which session got revoked, perform a registration attempt
  4. Sending revoked Authorization: Bearer token always results in 403.

This fix clears OAuth token when definite client errors are encountered (4xx) in token verification endpoint, but does not change it in case of server errors (5xx), which may include temporary gateway issues.

Changes

  • Clear OAuth2 user token on client errors
Edited by iamtakingiteasy

Merge request reports

Loading