Skip to content

Adding a refreshtoken does not properly delete old ones #52

New issue
New issue
Open
Open
Adding a refreshtoken does not properly delete old ones#52
@somoreingold

Description

@somoreingold
somoreingold
opened on Jul 18, 2020

First off, thanks for this extremely elegant library!

I found an issue with the included UmbracoDbOAuthRefreshTokenStore. The SQL delete statement below does not take into account optional fields (for example, DeviceId) that may therefore be null parameter values:

umbraco-authu/src/Our.Umbraco.AuthU/Data/UmbracoDbOAuthRefreshTokenStore.cs

Line 16 in 407ce41

scope.Database.Execute("DELETE FROM [OAuthRefreshToken] WHERE [Subject] = @0 AND [UserType] = @1 AND [Realm] = @2 AND [ClientId] = @3 AND [DeviceId] = @4",

In SQL you cannot use the = sign to compare against NULL (you have to use ' ... is NULL'. ). Therefore, if DeviceId was made optional/null coming in, the SQL statement would never find the appropriate row to delete since the statement would evaluate to:

... AND [DeviceId] = NULL

This results in a table that keeps growing. To fix, you could either detect if token.DeviceId is null then simply not add that part of the SQL string. Or I guess you could do something with SqlContext to build the query...not sure what's better. What do you think?

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions