From 0481fccd76e3768fa525b2e3bf688480defce76e Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Mon, 13 Mar 2017 15:53:28 -0700 Subject: [PATCH] storage/sql: add missing WHERE statement to refresh token update --- storage/conformance/conformance.go | 29 +++++++++++++++++++++++++++++ storage/sql/crud.go | 4 +++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/storage/conformance/conformance.go b/storage/conformance/conformance.go index cd2efebb..7ebd7cf9 100644 --- a/storage/conformance/conformance.go +++ b/storage/conformance/conformance.go @@ -269,6 +269,32 @@ func testRefreshTokenCRUD(t *testing.T, s storage.Storage) { getAndCompare(id, refresh) + id2 := storage.NewID() + refresh2 := storage.RefreshToken{ + ID: id2, + Token: "bar_2", + Nonce: "foo_2", + ClientID: "client_id_2", + ConnectorID: "client_secret", + Scopes: []string{"openid", "email", "profile"}, + CreatedAt: time.Now().UTC().Round(time.Millisecond), + LastUsed: time.Now().UTC().Round(time.Millisecond), + Claims: storage.Claims{ + UserID: "2", + Username: "john", + Email: "john.doe@example.com", + EmailVerified: true, + Groups: []string{"a", "b"}, + }, + ConnectorData: []byte(`{"some":"data"}`), + } + + if err := s.CreateRefresh(refresh2); err != nil { + t.Fatalf("create second refresh token: %v", err) + } + + getAndCompare(id2, refresh2) + updatedAt := time.Now().UTC().Round(time.Millisecond) updater := func(r storage.RefreshToken) (storage.RefreshToken, error) { @@ -283,6 +309,9 @@ func testRefreshTokenCRUD(t *testing.T, s storage.Storage) { refresh.LastUsed = updatedAt getAndCompare(id, refresh) + // Ensure that updating the first token doesn't impact the second. Issue #847. + getAndCompare(id2, refresh2) + if err := s.DeleteRefresh(id); err != nil { t.Fatalf("failed to delete refresh request: %v", err) } diff --git a/storage/sql/crud.go b/storage/sql/crud.go index 8c00dfd7..f8b941d1 100644 --- a/storage/sql/crud.go +++ b/storage/sql/crud.go @@ -299,12 +299,14 @@ func (c *conn) UpdateRefreshToken(id string, updater func(old storage.RefreshTok token = $11, created_at = $12, last_used = $13 + where + id = $14 `, r.ClientID, encoder(r.Scopes), r.Nonce, r.Claims.UserID, r.Claims.Username, r.Claims.Email, r.Claims.EmailVerified, encoder(r.Claims.Groups), r.ConnectorID, r.ConnectorData, - r.Token, r.CreatedAt, r.LastUsed, + r.Token, r.CreatedAt, r.LastUsed, id, ) if err != nil { return fmt.Errorf("update refresh token: %v", err)